Malware Analysis Report

2024-12-07 22:23

Sample ID 240411-aq84jsad2y
Target 16594936431.zip
SHA256 338c23abbf9f4d792d9bac20f519c89fafc6d340dbfd7afea56ebb5ea8f449b5
Tags
remcos remotehost persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

338c23abbf9f4d792d9bac20f519c89fafc6d340dbfd7afea56ebb5ea8f449b5

Threat Level: Known bad

The file 16594936431.zip was found to be: Known bad.

Malicious Activity Summary

remcos remotehost persistence rat

Remcos

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 00:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 00:26

Reported

2024-04-11 00:28

Platform

win7-20240220-en

Max time kernel

46s

Max time network

16s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 2160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233.dll

Network

N/A

Files

memory/2160-1-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/2160-3-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/2160-2-0x0000000010000000-0x0000000012DB3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 00:26

Reported

2024-04-11 00:29

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

146s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233.dll

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Chrome = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\VIVA_01.dll,EntryPoint" C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2272 set thread context of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 set thread context of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3792 wrote to memory of 756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3792 wrote to memory of 756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3792 wrote to memory of 756 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 2664 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2664 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2664 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 756 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2664 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2664 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4040 wrote to memory of 3036 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 4040 wrote to memory of 3036 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 4040 wrote to memory of 3036 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 4040 wrote to memory of 3188 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 4040 wrote to memory of 3188 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 4040 wrote to memory of 3188 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 1992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3188 wrote to memory of 5048 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 5048 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 5048 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2272 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4040 wrote to memory of 1076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 4040 wrote to memory of 1076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 4040 wrote to memory of 1076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\WScript.exe
PID 5112 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\WScript.exe
PID 5112 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\WScript.exe
PID 5112 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233.dll

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\XWWTS.cmd" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\MNUZY.ps1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\JDXGA.cmd" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\MOAZS.ps1

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uzjvjwpomgqleldypuhcq.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\iilww.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 ogbatobanana.duckdns.org udp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
US 8.8.8.8:53 76.55.89.45.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 textbin.net udp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 212.177.72.148.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
RS 45.89.55.76:4047 ogbatobanana.duckdns.org tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/756-0-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/756-1-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/4040-2-0x0000000000580000-0x0000000000581000-memory.dmp

memory/4040-4-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-5-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-7-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-8-0x0000000000800000-0x0000000000882000-memory.dmp

memory/756-9-0x0000000010000000-0x0000000012DB3000-memory.dmp

memory/4040-10-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-11-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-12-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-13-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-14-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-18-0x0000000000800000-0x0000000000882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Memory.vbs

MD5 f2423557341720ee37a3ca4160ab350d
SHA1 dff2f296535fa069dd29ad0860bb1d3ca61a1e37
SHA256 82c1e03d1965f9efb7597e8999cc8464d471be14657d42362b4d6ffdb257d2d7
SHA512 3a0ec132bcb1239afa7046130eaf86e41a0693dc79d482124df0e93a1312dc4021a43c0a9db6b48ae201e322e9c61a3b0ac6ae791395d398404140cd79d7ed03

memory/4040-23-0x0000000000800000-0x0000000000882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Memory.vbs

MD5 69e0e19835d62203ac824a0a042f80e9
SHA1 891a847ee52943e9d1eb9ab024a59651dbe74c7b
SHA256 23ecd046f3370b97563b8a0bbb6c93f3792d00446cf54f9836f21b31316a4264
SHA512 a55b07747607e746f8138d509cf823d72e41581ea1a39d0948f5834d87e35edf93eebd1f5db6f50c18a812cb13c8f6232fd9f47d858c3125f82bd885a6079f46

memory/4040-28-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-29-0x0000000000800000-0x0000000000882000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZZWO.vbs

MD5 e7d45c26e15f21e975d223e45b7da4eb
SHA1 8c3a9930d33100cd884f39e8e731db760df63e9d
SHA256 ca21215bc5b694571f93809e6244ef75c69d71649d3598ddfd0aa5e651a9fc71
SHA512 e3cdd9b6904e192d9d1114b5715af1116bddca0e42e34707349fad7f4f3f0f505196ef2cdb1fd0a310727c41154bacee25fd1c0052ab2589289c3a1c617a06d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPLJR.vbs

MD5 cf213bfcfbf6fd9aa3a9954929f1fbb1
SHA1 e67bfa49f24f815df08b86a26fba794a6e7109bd
SHA256 c876a1d0b87f4bef0ecbc673b18013a42ad86d1e7e243a917ddf66146dba891c
SHA512 efc04c9539cb35813ef2a6c06ec9834041f034996add5683908dfb977b2ca79cb62eb63641ac462393d550336efc4a9a85493f935e6c984284fc0724176aeb39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFF36071456820AC60FD568DDF18F256

MD5 5d3fff1b9b0b50c2d1b978b5e26fe28d
SHA1 8c382cb42267ee979a412bc0a950e67b91822fc3
SHA256 02a302fb8ae7cdd340de1726f1e89bd67b012dc311e7f1e555be28bdae3f3ca7
SHA512 3848ba48b10eeee832fe18d3d8a5645ccbf0ce294e05fbcdacae19285a12524d1c246fbce6507345a987f5998ab6361169aa4f0977afbc5c57249c9a350f101c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFF36071456820AC60FD568DDF18F256

MD5 a3b4e53f08bf25ff61d5c01f367f78c3
SHA1 e92970d6f3c3252f6359d15aabaa9aa6c31db0f4
SHA256 6b844f8c95f0ba2180558d5ef59b53c4590fa398f9368f3c9225f71d2ac9492b
SHA512 689c3c9ac6b1feeae6412c1a46f3b6a8e52353c7eb65e5ae679322cd61ca2c8370c55a6b4aba6cb2714896f2eb3d66281bfa3114ffc36638408c43ad30d8dbcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 691526770e90e29ed992baff601093c2
SHA1 73ddb5ca0d2ef2147a254737c59c5eaf8a3453cd
SHA256 2d5a065d012cba33cf480445063fbafbd0e21da48f0f7f745974f21a0312d662
SHA512 db5957dc2b863613505be8a67a307d8ac4e1b79410e1390def4f96bc2af9b191cabcddbd0e608f86a76cb4e963a1483681fcb9c5331a9d73c1c9a015e96208f0

C:\Users\Admin\AppData\Roaming\WindowsServices\XWWTS.cmd

MD5 ae51876ebf33b5bc2b49115a5f0ce077
SHA1 77a138eac0ebf7a9ec90fb299570166089038321
SHA256 10fd06231daa6f01e645d0b3ca70b1043c6dbacdcfc2523060adb1880effe2ca
SHA512 d19338c6a5d8851b15f2b9d46e31dbb2e9570a02456c76b01be9c70a376aa2520b25791eaedc48cabdb382bab17fd7200f3eb2c5917f029cefa3cd227192fb4d

memory/936-76-0x0000000071B80000-0x0000000072330000-memory.dmp

memory/936-77-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/936-75-0x0000000002FE0000-0x0000000003016000-memory.dmp

memory/936-78-0x0000000005710000-0x0000000005D38000-memory.dmp

memory/936-79-0x0000000005D40000-0x0000000005D62000-memory.dmp

memory/936-80-0x0000000005EA0000-0x0000000005F06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_av3lquxf.ebo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/936-81-0x0000000005F80000-0x0000000005FE6000-memory.dmp

memory/936-91-0x00000000060F0000-0x0000000006444000-memory.dmp

memory/936-92-0x0000000006590000-0x00000000065AE000-memory.dmp

memory/936-93-0x00000000065E0000-0x000000000662C000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsServices\MNUZY.ps1

MD5 26fde7d375d1bd5bb2365e3c9f01a803
SHA1 226f0e4fd419f92ef65464bac9656f3a33c9c754
SHA256 3d9452c2294d672986b03b274fdc8111c38b87efc76163995b7a257d5c6c2ee6
SHA512 499a237f13b0bb1e7880d29c057bee403075039f4592e59c10f95d3e57aaa9e2aa37de61f3f5b706f03438778955bb23d3f847ba116e3784eb3534725c7b3326

memory/936-95-0x000000007F160000-0x000000007F170000-memory.dmp

memory/936-96-0x0000000007550000-0x0000000007582000-memory.dmp

memory/936-97-0x000000006E510000-0x000000006E55C000-memory.dmp

memory/936-107-0x0000000006B50000-0x0000000006B6E000-memory.dmp

memory/936-108-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/936-109-0x0000000007790000-0x0000000007833000-memory.dmp

memory/936-110-0x0000000007F70000-0x00000000085EA000-memory.dmp

memory/936-111-0x00000000078F0000-0x000000000790A000-memory.dmp

memory/936-112-0x0000000007940000-0x000000000794A000-memory.dmp

memory/936-113-0x0000000007B60000-0x0000000007BF6000-memory.dmp

memory/936-114-0x0000000007AD0000-0x0000000007AE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsServices\JDXGA.cmd

MD5 bd6857a941997730269e24a8c8cfd1fd
SHA1 5fd0b1db9aa4fbee2cdac89c9411029747017e94
SHA256 dca163e5a20432b2e3f4b0c7e2f117d5a0d0b9b43a4ba54e7577a2f4880695fd
SHA512 678db8d6d7660fc478e48818aff8ec6a04221e78b6a63cccf52622d6fa29b3d1476c7a388ef41c47f4852bfb211e037bbff051a830805141fbd53a656840bc87

memory/936-117-0x0000000007B10000-0x0000000007B1E000-memory.dmp

memory/936-118-0x0000000007B20000-0x0000000007B34000-memory.dmp

memory/2272-120-0x0000000071B80000-0x0000000072330000-memory.dmp

memory/936-121-0x0000000007C00000-0x0000000007C1A000-memory.dmp

memory/2272-123-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/2272-122-0x00000000047C0000-0x00000000047D0000-memory.dmp

memory/936-133-0x0000000007B50000-0x0000000007B58000-memory.dmp

memory/936-136-0x0000000071B80000-0x0000000072330000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsServices\MOAZS.ps1

MD5 5cf2c1666ad003aa8b6cd8a97cd584a0
SHA1 1660e606e6408bca33e935ce190e0a1ebbec631f
SHA256 ec81e2567d6389125069a1b4724d927707ee00f12af4e0f9d8751f379ae9f7c3
SHA512 eb6d44a1c5a8cf06fab45ca0981a8ba13b3e529b424f75656d3b371125d11f39ee386ffa1802e1b0202395fcfd338905cb70ef6af1a1a69ff1afb677b836cc9e

memory/4040-138-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-139-0x0000000000800000-0x0000000000882000-memory.dmp

memory/2272-140-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

memory/2272-141-0x0000000008040000-0x00000000085E4000-memory.dmp

memory/2272-143-0x00000000008C0000-0x00000000008D0000-memory.dmp

memory/2272-144-0x0000000007050000-0x00000000070EC000-memory.dmp

memory/5112-146-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-150-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/4720-153-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-151-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-156-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2272-162-0x0000000071B80000-0x0000000072330000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6681dde54f627893513e4d79bd92c16c
SHA1 87e4c3189440a0576f90a5710894ad0590143a8d
SHA256 eac4af70d9b3ee49dfe2fa532826a93d976f9d9bc1827f52b5d7749b490b6720
SHA512 57884a982e9dcf38fdbf8da3e0a94fc13868a3fef2469d8b07544e8e95678f5f44a15bd51c69fa898e97bd60e0b3ec71515925fe1f2ee9f28b08ce44e8034298

memory/5112-161-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4720-160-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4720-154-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-163-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-164-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-165-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4040-169-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-170-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-171-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-172-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-173-0x0000000000800000-0x0000000000882000-memory.dmp

memory/5112-174-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4040-175-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-177-0x0000000000800000-0x0000000000882000-memory.dmp

memory/4040-182-0x0000000000800000-0x0000000000882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uzjvjwpomgqleldypuhcq.vbs

MD5 322928831a8b29ebc06d5bc8edbec60d
SHA1 75b4a66f691a9550423f5acdb0fc46142c05a1fc
SHA256 93d2d9e801aa2189593ed51e168564c69d964dbf71579c2195586a58445b52d8
SHA512 8a6584e36803189d78b20f251771779745774dab3bee0366082b913e2395233dfd7cf83c84e6c5419ed5662045875c16123b075d706d23f3d57a732ce8666ca3

memory/5112-188-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-189-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-190-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-191-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-192-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-193-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-195-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-196-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-198-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-199-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5112-204-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iilww.vbs

MD5 7c511f6f0add80ad7f9b0b22d50959f0
SHA1 e656bc5752fa864e6c1b86033530f31b9ca9e726
SHA256 39f9ff071536b555e9b7da9e0104cb979f22f5236abe9eca9a5b90718b36da15
SHA512 3ee23b4f523454ef0b88dab5a543e2be704f9e1e37ccde7a8e0b17b1613e4db6235e18adccb3f9d44c1e76faac0c7caabfaf51e76b449a6d785dfb3ef4b9a918