Malware Analysis Report

2024-11-13 16:42

Sample ID 230302-f1w5mabf42
Target a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b
SHA256 a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b
Tags
purecrypter rhadamanthys collection downloader loader stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b

Threat Level: Known bad

The file a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b was found to be: Known bad.

Malicious Activity Summary

purecrypter rhadamanthys collection downloader loader stealer

Detect rhadamanthys stealer shellcode

Purecrypter family

PureCrypter

Rhadamanthys

Executes dropped EXE

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_office_path

Checks processor information in registry

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-02 05:20

Signatures

Purecrypter family

purecrypter

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-02 05:20

Reported

2023-03-02 05:23

Platform

win10v2004-20230221-en

Max time kernel

94s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe"

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Rhadamanthys

stealer rhadamanthys

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2288 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe
PID 2288 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe
PID 2288 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe
PID 2288 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe
PID 2288 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe
PID 2288 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe
PID 2288 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe
PID 2288 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe
PID 2288 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe
PID 2288 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe
PID 2288 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe
PID 4540 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1528 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Windows\system32\dllhost.exe
PID 1528 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Windows\system32\dllhost.exe
PID 1528 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Windows\system32\dllhost.exe
PID 1528 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe C:\Windows\system32\dllhost.exe
PID 4540 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe
PID 4540 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe
PID 4624 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe

"C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe

"C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe"

C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe

C:\Users\Admin\AppData\Local\Temp\a54f7c373754274a49006f8f34c1a92479006ed4a94926ccabec704f8a3c770b.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\system32\dllhost.exe

"C:\Windows\system32\dllhost.exe"

C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe

"C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Users\Admin\AppData\Roaming\Syvrbxqdnnb.exe

C:\Users\Admin\AppData\Roaming\Syvrbxqdnnb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 cleaning.homesecuritypc.com udp
NL 79.110.63.239:80 cleaning.homesecuritypc.com tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 239.63.110.79.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 76.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 65.193.24.20.in-addr.arpa udp
NL 79.110.63.239:80 cleaning.homesecuritypc.com tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 resources-update.servesarcasm.com udp
NL 185.225.73.180:80 resources-update.servesarcasm.com tcp
US 8.8.8.8:53 180.73.225.185.in-addr.arpa udp
NL 185.225.73.180:80 resources-update.servesarcasm.com tcp
NL 87.248.202.1:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 cleaning.homesecuritypc.com udp
NL 79.110.63.239:80 cleaning.homesecuritypc.com tcp

Files

memory/2288-133-0x0000000000710000-0x0000000000718000-memory.dmp

memory/2288-134-0x0000000005790000-0x0000000005D34000-memory.dmp

memory/2288-135-0x00000000050D0000-0x0000000005162000-memory.dmp

memory/2288-136-0x0000000005170000-0x000000000517A000-memory.dmp

memory/2288-137-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/2288-138-0x0000000006DE0000-0x0000000006E02000-memory.dmp

memory/3984-139-0x0000000003280000-0x00000000032B6000-memory.dmp

memory/3984-140-0x0000000005B00000-0x0000000006128000-memory.dmp

memory/3984-141-0x0000000006130000-0x0000000006196000-memory.dmp

memory/3984-142-0x0000000006210000-0x0000000006276000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z03eaxxt.bi5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3984-149-0x00000000054C0000-0x00000000054D0000-memory.dmp

memory/3984-145-0x00000000054C0000-0x00000000054D0000-memory.dmp

memory/3984-154-0x0000000006870000-0x000000000688E000-memory.dmp

memory/3984-155-0x0000000007EF0000-0x000000000856A000-memory.dmp

memory/3984-156-0x0000000006D70000-0x0000000006D8A000-memory.dmp

memory/3984-157-0x00000000054C0000-0x00000000054D0000-memory.dmp

memory/2288-158-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/3984-159-0x00000000054C0000-0x00000000054D0000-memory.dmp

memory/3984-160-0x00000000054C0000-0x00000000054D0000-memory.dmp

memory/3984-161-0x00000000054C0000-0x00000000054D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe

MD5 f1d6d27e61bfa4f34c08ffb83d3ea808
SHA1 2bd55b621259a60e8b81b5bca27f96b7f802d64c
SHA256 529f13153377fcf82ef6b6fcf24acccec6c5d33ce65228b5efd087f21aa062c0
SHA512 cf70945fed360c4e7f11dd6791232c19c8a21e90e469bdff15d5dfea96f207ef33a22deb51bf7f4f38af0953f37fb5a01c85cc86996532d6414d5c15ace9fa76

C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe

MD5 f1d6d27e61bfa4f34c08ffb83d3ea808
SHA1 2bd55b621259a60e8b81b5bca27f96b7f802d64c
SHA256 529f13153377fcf82ef6b6fcf24acccec6c5d33ce65228b5efd087f21aa062c0
SHA512 cf70945fed360c4e7f11dd6791232c19c8a21e90e469bdff15d5dfea96f207ef33a22deb51bf7f4f38af0953f37fb5a01c85cc86996532d6414d5c15ace9fa76

C:\Users\Admin\AppData\Local\Temp\Syvrbxqdnnb.exe

MD5 f1d6d27e61bfa4f34c08ffb83d3ea808
SHA1 2bd55b621259a60e8b81b5bca27f96b7f802d64c
SHA256 529f13153377fcf82ef6b6fcf24acccec6c5d33ce65228b5efd087f21aa062c0
SHA512 cf70945fed360c4e7f11dd6791232c19c8a21e90e469bdff15d5dfea96f207ef33a22deb51bf7f4f38af0953f37fb5a01c85cc86996532d6414d5c15ace9fa76

memory/1528-176-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1528-177-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4540-178-0x000001EAFA250000-0x000001EAFA256000-memory.dmp

memory/1528-179-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4540-181-0x000001EAFBE40000-0x000001EAFBE50000-memory.dmp

memory/1528-182-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4540-183-0x000001EAFE2D0000-0x000001EAFE2F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d38824e3463c964bd6e958e864bb72e2
SHA1 54c3723b52f4710a2b3fea23e09f0c850391615c
SHA256 b7931311318796bd0b582ca1863ca07c1efa504cccdfd12bbf404a9d3cb6829b
SHA512 696c82cf9a34df30706295f5305bf9ad9b0f612337e7cc54e88502af19eb0634232f7b0c8192f88da3f4a5e222c388d458328d6230ac0a6cae3ad7733e99ad9c

memory/5052-194-0x000002614CFF0000-0x000002614D000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/5052-195-0x000002614CFF0000-0x000002614D000000-memory.dmp

memory/5052-197-0x000002614CFF0000-0x000002614D000000-memory.dmp

memory/5052-198-0x000002614CFF0000-0x000002614D000000-memory.dmp

memory/4540-199-0x000001EAFBE40000-0x000001EAFBE50000-memory.dmp

memory/1528-200-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5052-201-0x000002614CFF0000-0x000002614D000000-memory.dmp

memory/5052-202-0x000002614CFF0000-0x000002614D000000-memory.dmp

memory/5052-203-0x000002614CFF0000-0x000002614D000000-memory.dmp

memory/1528-206-0x00000000010C0000-0x00000000010DC000-memory.dmp

memory/1528-207-0x00000000010C0000-0x00000000010DC000-memory.dmp

memory/1528-208-0x00000000010E0000-0x00000000010FA000-memory.dmp

memory/1528-209-0x00000000010C0000-0x00000000010DC000-memory.dmp

memory/380-210-0x000002A8B0ED0000-0x000002A8B0ED1000-memory.dmp

memory/1528-211-0x0000000001110000-0x0000000001112000-memory.dmp

memory/380-212-0x000002A8B0FF0000-0x000002A8B0FF7000-memory.dmp

memory/380-213-0x00007FF426F40000-0x00007FF42703A000-memory.dmp

memory/380-214-0x00007FF426F40000-0x00007FF42703A000-memory.dmp

memory/1528-215-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1528-216-0x00000000010C0000-0x00000000010DC000-memory.dmp

memory/380-217-0x00007FF426F40000-0x00007FF42703A000-memory.dmp

memory/380-218-0x00007FF426F40000-0x00007FF42703A000-memory.dmp

memory/380-219-0x00007FF426F40000-0x00007FF42703A000-memory.dmp

memory/380-220-0x00007FF426F40000-0x00007FF42703A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe

MD5 cb66a06a3962f16ee5d557cf99a4b4ad
SHA1 1a4470c46e08133761b46fb76f2620432bd66d7d
SHA256 2ecdb164f65ab2d6d31742c384d2f12aa840bfa8de3c209ba17a2f80ffc13822
SHA512 4d2e92a45a72a2356814a0afd02a7a305a01878a5ae5e3e626fe1d7ec41a27ffdb20b97767346e4962e746c7175ad38963104f48d4ad90606508de67a7b0b184

C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe

MD5 cb66a06a3962f16ee5d557cf99a4b4ad
SHA1 1a4470c46e08133761b46fb76f2620432bd66d7d
SHA256 2ecdb164f65ab2d6d31742c384d2f12aa840bfa8de3c209ba17a2f80ffc13822
SHA512 4d2e92a45a72a2356814a0afd02a7a305a01878a5ae5e3e626fe1d7ec41a27ffdb20b97767346e4962e746c7175ad38963104f48d4ad90606508de67a7b0b184

C:\Users\Admin\AppData\Local\Temp\Evexzaelwjmlpmdscdyymwtl.exe

MD5 cb66a06a3962f16ee5d557cf99a4b4ad
SHA1 1a4470c46e08133761b46fb76f2620432bd66d7d
SHA256 2ecdb164f65ab2d6d31742c384d2f12aa840bfa8de3c209ba17a2f80ffc13822
SHA512 4d2e92a45a72a2356814a0afd02a7a305a01878a5ae5e3e626fe1d7ec41a27ffdb20b97767346e4962e746c7175ad38963104f48d4ad90606508de67a7b0b184

memory/4624-234-0x000001819D7E0000-0x000001819D7E6000-memory.dmp

memory/4540-235-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-236-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-238-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-240-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-242-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-244-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-246-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4624-249-0x00000181B9270000-0x00000181B9280000-memory.dmp

memory/4540-248-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-251-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-253-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-255-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-257-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-259-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-261-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-263-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-265-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-267-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-269-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-271-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-273-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-275-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-277-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-279-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-281-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-283-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-285-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

memory/4540-287-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/4540-289-0x000001EAFE670000-0x000001EAFE70A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb1c33a1a3bbff8ced39d26308f77211
SHA1 c59c693e72c74c349b245b33b907dfb4e4ba4c3a
SHA256 8685999934d4786f68afbe0f7ceeecd3e308fe8886cd2bc269ba7e3d43bf3c90
SHA512 2d07992b52f2826969a4d5549f2812fad0999d9b858ae3e56b3ded04d058dfcada1987ae3b0c2c0cbbfed4a3ac734500a89d8750dd1b85351b6efd05202669b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 687ff3bb8a8b15736d686119a681097c
SHA1 18f43aa14e56d4fb158a8804f79fc3c604903991
SHA256 51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2
SHA512 047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

memory/4744-393-0x00000204FAAC0000-0x00000204FAAD0000-memory.dmp

memory/4744-396-0x00000204FAAC0000-0x00000204FAAD0000-memory.dmp

memory/4744-397-0x00000204FAAC0000-0x00000204FAAD0000-memory.dmp

memory/4744-988-0x00000204FAAC0000-0x00000204FAAD0000-memory.dmp

memory/4744-989-0x00000204FAAC0000-0x00000204FAAD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Syvrbxqdnnb.exe

MD5 f1d6d27e61bfa4f34c08ffb83d3ea808
SHA1 2bd55b621259a60e8b81b5bca27f96b7f802d64c
SHA256 529f13153377fcf82ef6b6fcf24acccec6c5d33ce65228b5efd087f21aa062c0
SHA512 cf70945fed360c4e7f11dd6791232c19c8a21e90e469bdff15d5dfea96f207ef33a22deb51bf7f4f38af0953f37fb5a01c85cc86996532d6414d5c15ace9fa76

memory/4744-991-0x00000204FAAC0000-0x00000204FAAD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Syvrbxqdnnb.exe

MD5 f1d6d27e61bfa4f34c08ffb83d3ea808
SHA1 2bd55b621259a60e8b81b5bca27f96b7f802d64c
SHA256 529f13153377fcf82ef6b6fcf24acccec6c5d33ce65228b5efd087f21aa062c0
SHA512 cf70945fed360c4e7f11dd6791232c19c8a21e90e469bdff15d5dfea96f207ef33a22deb51bf7f4f38af0953f37fb5a01c85cc86996532d6414d5c15ace9fa76