Malware Analysis Report

2025-04-13 21:07

Sample ID 230725-em6apsac48
Target 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
SHA256 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
Tags
darkcloud stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9

Threat Level: Known bad

The file 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9 was found to be: Known bad.

Malicious Activity Summary

darkcloud stealer

DarkCloud

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-25 04:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-25 04:04

Reported

2023-07-25 04:07

Platform

win10v2004-20230703-en

Max time kernel

119s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"

Signatures

DarkCloud

stealer darkcloud

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1012 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1012 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1012 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1012 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1012 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1012 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1012 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1012 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1012 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1012 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1012 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1012 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1012 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1892 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1892 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1892 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1892 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1892 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1892 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1892 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Users\Admin\AppData\Local\Temp\chrome.exe
PID 1892 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4836 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4836 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1892 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1580 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1580 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1580 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1580 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1580 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1580 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe
PID 1580 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe

"C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"

C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe

"C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"

C:\Users\Admin\AppData\Local\Temp\chrome.exe

"C:\Users\Admin\AppData\Local\Temp\chrome.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\chrome"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chrome\chrome.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chrome\chrome.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe" "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\chrome.exe

"C:\Users\Admin\AppData\Local\Temp\chrome.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GLqLto.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLqLto" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp"

C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe

"C:\Users\Admin\AppData\Local\Temp\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe"

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp

Files

memory/1012-134-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1012-133-0x0000000000150000-0x0000000000454000-memory.dmp

memory/1012-135-0x0000000005380000-0x0000000005924000-memory.dmp

memory/1012-136-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/1012-137-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1012-138-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/1580-139-0x0000000000400000-0x00000000004F8000-memory.dmp

memory/1580-141-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1580-142-0x0000000005B10000-0x0000000005BA2000-memory.dmp

memory/1580-143-0x0000000005A30000-0x0000000005A40000-memory.dmp

memory/1580-144-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome.exe

MD5 b3d8ceb7e2bfbe5f089d81312632b27f
SHA1 4cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256 cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA512 9e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f

C:\Users\Admin\AppData\Local\Temp\chrome.exe

MD5 b3d8ceb7e2bfbe5f089d81312632b27f
SHA1 4cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256 cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA512 9e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f

C:\Users\Admin\AppData\Local\Temp\chrome.exe

MD5 b3d8ceb7e2bfbe5f089d81312632b27f
SHA1 4cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256 cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA512 9e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f

memory/1892-155-0x0000000000470000-0x000000000049A000-memory.dmp

memory/1892-156-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1892-157-0x0000000002640000-0x0000000002650000-memory.dmp

memory/1012-161-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1580-162-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1580-163-0x0000000005A30000-0x0000000005A40000-memory.dmp

memory/1892-164-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1892-165-0x0000000002640000-0x0000000002650000-memory.dmp

memory/1540-166-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome.exe

MD5 b3d8ceb7e2bfbe5f089d81312632b27f
SHA1 4cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256 cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA512 9e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f

memory/1540-168-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1540-169-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/1580-170-0x0000000009A90000-0x0000000009B2C000-memory.dmp

C:\Users\Admin\AppData\Roaming\GLqLto.exe

MD5 e1f944688e00a6753e1dfa4e5d8a7670
SHA1 bc4ac9ef640a74fcf240f14def4948ec6e9346c4
SHA256 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
SHA512 a469ee8b8771b47ef185bacc7853fdf253533725da9e0f19543e5c38a273a344658808de6e10d2802b2548284778575d9a2b60b611a58e292d1a2f0132e04dc6

memory/1892-177-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/4012-179-0x0000000000CE0000-0x0000000000D16000-memory.dmp

memory/4012-180-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/4012-181-0x0000000002290000-0x00000000022A0000-memory.dmp

memory/4012-183-0x0000000002290000-0x00000000022A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8DC4.tmp

MD5 42447d06b385f2b938f2a0a17309347b
SHA1 a83fe35199ae6bc61ebfc0106aa92aa255f58b6b
SHA256 926ef1467e1e52abc8516e5a2fab624679ded69d1cb98beacc7f1a7750c0ff70
SHA512 60a8b2ab6a50dfd62b742d5057321521ca86ecfa081057b3d90abd2223ae70c8f383fe971aa4a7dd4ca0709df83ac55677917824fe9c5bac613f154953648f85

memory/4012-184-0x0000000004E60000-0x0000000005488000-memory.dmp

memory/4284-185-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9.exe.log

MD5 03febbff58da1d3318c31657d89c8542
SHA1 c9e017bd9d0a4fe533795b227c855935d86c2092
SHA256 5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA512 3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

memory/4012-189-0x0000000004AD0000-0x0000000004AF2000-memory.dmp

memory/4284-188-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4012-190-0x0000000004CF0000-0x0000000004D56000-memory.dmp

memory/4012-192-0x0000000005490000-0x00000000054F6000-memory.dmp

memory/1580-191-0x0000000074E60000-0x0000000075610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5awcl2lf.edm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4012-204-0x0000000005B50000-0x0000000005B6E000-memory.dmp

memory/1540-205-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1540-206-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/4012-207-0x0000000002290000-0x00000000022A0000-memory.dmp

memory/4012-208-0x000000007F610000-0x000000007F620000-memory.dmp

memory/4012-209-0x0000000006100000-0x0000000006132000-memory.dmp

memory/4012-210-0x00000000711A0000-0x00000000711EC000-memory.dmp

memory/4012-220-0x00000000060E0000-0x00000000060FE000-memory.dmp

memory/4012-221-0x00000000074A0000-0x0000000007B1A000-memory.dmp

memory/4012-222-0x0000000006E50000-0x0000000006E6A000-memory.dmp

memory/4012-223-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

memory/4012-224-0x00000000070D0000-0x0000000007166000-memory.dmp

memory/4012-225-0x0000000007080000-0x000000000708E000-memory.dmp

memory/4012-226-0x0000000007190000-0x00000000071AA000-memory.dmp

memory/4012-227-0x0000000007170000-0x0000000007178000-memory.dmp

memory/4012-228-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/4012-231-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/4284-232-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 b3d8ceb7e2bfbe5f089d81312632b27f
SHA1 4cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256 cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA512 9e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 b3d8ceb7e2bfbe5f089d81312632b27f
SHA1 4cb60364f395dac0fe6b56d3130a9d4ff39d0fc6
SHA256 cf00a8bab3af58f4e0809febf8707b6b4c4e67f46140cd273d468425d012c54f
SHA512 9e5be6621a4820dd86e1285d0d64283c3bcb70576a1fee0e9bb21c2a4afceed8df363f8537870192397bb6897e0e8160334a01ca97d50cacff6e9d38b2ce259f

memory/3064-235-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/3064-236-0x0000000074E60000-0x0000000075610000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 7883a9e6cdcd516f2795d49ee653ef46
SHA1 e37d8d75893d357257878de40a41e98bd5761337
SHA256 358df27af8cf001d3fed50e27ab9281705bc74f49c714ec30460256c81b33b1b
SHA512 e484312ee326aea5f2505db6ec37aa0cc4b991b3cf20c20ce0fa303ea5c5876a821edd8581a3bfbfd638c2836f167063ae715fdf8d0fbe65cde0b12eb10ab39d