Malware Analysis Report

2024-11-16 13:35

Sample ID 240526-1vezdadd9w
Target ЗАебала.exe
SHA256 be98f5ab32e873468f2ba2fb45215468b0157f7fe894d9af98313444ec945ef6
Tags
ramnit xworm banker execution persistence rat spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be98f5ab32e873468f2ba2fb45215468b0157f7fe894d9af98313444ec945ef6

Threat Level: Known bad

The file ЗАебала.exe was found to be: Known bad.

Malicious Activity Summary

ramnit xworm banker execution persistence rat spyware stealer trojan upx worm

Detect Xworm Payload

Xworm family

Ramnit

Xworm

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Drops startup file

UPX packed file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 21:57

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 21:57

Reported

2024-05-26 22:00

Platform

win7-20240508-en

Max time kernel

125s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Ramnit

trojan spyware stealer worm banker ramnit

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wecmhc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxEFDB.tmp C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{265B54E1-1BAB-11EF-B3A2-4205ACB4EED4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000030000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wecmhc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\schtasks.exe
PID 2576 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\schtasks.exe
PID 2576 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\schtasks.exe
PID 2576 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\waijyx.EXE
PID 2576 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\waijyx.EXE
PID 2576 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\waijyx.EXE
PID 2576 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\waijyx.EXE
PID 2576 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\wecmhc.exe
PID 2576 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\wecmhc.exe
PID 2576 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\wecmhc.exe
PID 2576 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\wecmhc.exe
PID 1312 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\wecmhc.exe C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe
PID 1312 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\wecmhc.exe C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe
PID 1312 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\wecmhc.exe C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe
PID 1312 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\wecmhc.exe C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe
PID 1272 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1272 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1272 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1272 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1144 wrote to memory of 2816 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1144 wrote to memory of 2816 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1144 wrote to memory of 2816 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1144 wrote to memory of 2816 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2816 wrote to memory of 696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2816 wrote to memory of 696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2816 wrote to memory of 696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2816 wrote to memory of 696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1128 wrote to memory of 1072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1128 wrote to memory of 1072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1128 wrote to memory of 1072 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2576 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\gzklzr.exe
PID 2576 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\gzklzr.exe
PID 2576 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\gzklzr.exe
PID 2576 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\gzklzr.exe
PID 1128 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1128 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1128 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2576 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe
PID 2576 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe
PID 2576 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe
PID 2576 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe
PID 2144 wrote to memory of 2896 N/A C:\Windows\system32\pcwrun.exe C:\Windows\System32\msdt.exe
PID 2144 wrote to memory of 2896 N/A C:\Windows\system32\pcwrun.exe C:\Windows\System32\msdt.exe
PID 2144 wrote to memory of 2896 N/A C:\Windows\system32\pcwrun.exe C:\Windows\System32\msdt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe

"C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ЗАебала.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\waijyx.EXE

"C:\Users\Admin\AppData\Local\Temp\waijyx.EXE"

C:\Users\Admin\AppData\Local\Temp\wecmhc.exe

"C:\Users\Admin\AppData\Local\Temp\wecmhc.exe"

C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe

C:\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {FA2EF7E5-9269-4717-A341-0E67BD588E91} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Local\Temp\gzklzr.exe

"C:\Users\Admin\AppData\Local\Temp\gzklzr.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Desktop\GetAdd.rm"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Desktop\GetLimit.scf"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe

"C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe"

C:\Windows\system32\pcwrun.exe

C:\Windows\system32\pcwrun.exe "C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Windows\System32\msdt.exe

C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW3F7.xml /skip TRUE

C:\Windows\System32\sdiagnhost.exe

C:\Windows\System32\sdiagnhost.exe -Embedding

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\how1fh96.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES742.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC741.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tt7owjfx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES790.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC780.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\54s7wm_q.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC81C.tmp"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RepairNew.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\thpfoa.exe

"C:\Users\Admin\AppData\Local\Temp\thpfoa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:53750 tcp
US 8.8.8.8:53 involved-delete.gl.at.ply.gg udp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
US 8.8.8.8:53 api.bing.com udp

Files

memory/2576-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

memory/2576-1-0x0000000000A00000-0x0000000000A2A000-memory.dmp

memory/2576-2-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2720-7-0x000000001B5A0000-0x000000001B882000-memory.dmp

memory/2720-8-0x0000000002790000-0x0000000002798000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2325bbf08a96516b1520e8be4c468e68
SHA1 7d070f1fc06b481af36ee6667f63060643aee520
SHA256 7656ca2e48c5f2408d3b33399482fc8142f74acfbea587ecaa110597db248e53
SHA512 334bf34256fa8a371ab99683370457e1a0f1ab35eaa1a1be2ecc609feb21ff0db61ce39dfd4de0bb22831bbc6b263c32caef629b2181b72dd64be4008a4f6793

memory/2648-14-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/2648-15-0x0000000002210000-0x0000000002218000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2576-32-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

memory/2576-33-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\waijyx.EXE

MD5 2d07f1732527ea206a20d48372994458
SHA1 9886fc5cc285f2250ae500daa98ad72d4afd8e72
SHA256 a4ea663aa319447d49c40a6f825fe9d557977a633c263449f60d5d6768e39abd
SHA512 c30869e0b3ad77979feaa00f97f3a7440e8b66b238c1e1403e61745a06f215c18f6e6895ebbccdf862fed8f5f4e746a17e1e1d97edbac09fbfd59efe232d3e71

memory/1584-41-0x0000000000400000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wecmhc.exe

MD5 f1a97729b6e7401062abb8a05266aa8f
SHA1 522eb9ba7abfaccb84c1c5318da5eb879d05ca7c
SHA256 5a0aeea01f95dd75eadfb2dcd684c615d828aaa6881703bac633921f1fa00074
SHA512 9ec6fe3a90b254708ccb155279ef8fc989882691c69ecc2d2701a86880a2776fe5d96aba9da39e30e319438d24c9fcfd76353d1e22a148400729df225dafc5f7

memory/1312-50-0x0000000000400000-0x0000000000481000-memory.dmp

\Users\Admin\AppData\Local\Temp\wecmhcSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1272-59-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1312-58-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/1144-68-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1144-66-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 302a161addf4cad7c6f078b7c5ad916a
SHA1 01450a35f72a6db951fb07fce749508f8aafe153
SHA256 be98f5ab32e873468f2ba2fb45215468b0157f7fe894d9af98313444ec945ef6
SHA512 0c60134a2189554e6d47ef0e4845fe2d661b1d7a021bd530b8a323a2496fa7958dad31feb0022348b9c655a4aac4a9a67b13a1adafcac454a4346fa50796d8bd

memory/1072-72-0x0000000000D50000-0x0000000000D7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab649.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar6BB.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 105b09476ab86df3d0a76b38595a2e47
SHA1 910645fbb8bd61957435521d12314a0b09c2df38
SHA256 c5d579cfe1c82bc2af79a7fabe5cd9d749c3baf3e5288b72356af35a6462f141
SHA512 d5c3d877a4eef401f92e9d4d076dcd446a2baf4c7062db293dec834f4c6e5b4db8ccc225af6ac9658aa7883df2f78770616de13d552c0a8de71a470e76d381cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06b666534662d91e0e18ece334392144
SHA1 692bdc63d8153f2b6f15cd88be77eb0a245d1f8c
SHA256 9e764e1585c10a4bfd76b787327c3a0d1f6077bd47b98b0f14ca31ddd22e648a
SHA512 c7ec253731aa0bf2439afd0f8af04f7d0cb6c76930788ce30ffeb54cdeaae906820382175aa28e768471d1fbc5cff6d296274dba7309c30afc8f61ce625aa027

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5ef2182b6e04718ebea76fe145cbae8
SHA1 5d6acccdb2fee757679e1b1f1db2a5eca6b07bbe
SHA256 23a68971be09ea08485de13bb88e92588ff2923c4a1fedc800a29ae87effbab0
SHA512 cb82e0f0746ef8a8ea64f2cee0a9d74ff7275a69cb91566c582c5e7ce673cc06d066e3d48594cb2a16dbe76bde15bb5a69fec14796c486907194e3ef3d0ff619

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7979e8cbdba0a48853efcfe4ff94c191
SHA1 2da1fbaa425642fe9a3321a80529e8e5e8d9fe33
SHA256 cb30479034a5fc20883bed533cbf0286dc8413326002d23109577f7728c5aac1
SHA512 af52d17c4cfce3551a19e44e226fd4965b36484c77e657a29b994c260b089450a573af5917b60d93443543c1f953f523c54d334bee470f3d39ea51eba6801151

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64ee5dcb8d9ade0c36bb78074853efe4
SHA1 c66b439c6ddf88518e02e480f7d247c7d3a2407a
SHA256 c3a89ea60f8eafcb67e10f9cd9f7cbb13685efaa15d7d6420521158cac8b1eb2
SHA512 e025b164312a17e8037c8f9e2ccc6ce82cb80eb90086c53f93a43d79863c7571852e283201d230000584d6cdb00d9a5750bb311a2bc352911801608e77a83670

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3028a2a607e4329d888760e254ff12dd
SHA1 9e8b5c5e2e11bfe18e32154b054c045a0a666a5b
SHA256 f51db88cc8fcdf2b2123679b4928683401da799968904e8ba0317456e6895f7c
SHA512 1e2ed9ac6458ed8797e04c75b464995bf4e8cc8c4208674e09befc4e3a52d5653eac98b2736d67e39f62bbecde1ea803f8f0ecbfb46ae1f6a5ad9efd07be2294

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec1a34dddb9dd9c6585e2bd351c13c83
SHA1 aea8efd40a6929dcacfea2be1b1409f1d9974a0a
SHA256 18bad3e0aa98eb13a0bbb8dc9e2a5cf2747b413561f00383df475c216b452f0e
SHA512 6b0b441a53f922539671b96a283b176428934dd10898b5b8340fa4f8ee0133f4e61737833ba0bef0ad1135347095b7b1ede72af80e3f4cf9852ee0df69164b85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd26489bcaf2e22988027140f18e63b0
SHA1 33b029526bee4d433c13953cfc03eed3a735299b
SHA256 2a8901813b5d760a7cb0aa7f3354588eded59fa7d71914426e475cbf84afa398
SHA512 2f0dc1dedb98c936a743dc77fc6edb71302ca80d7536549197b69ecce4bd2079130fb8de7195a1ff5c15fb7dc0a6fe087458df85e1785ed3ec373e1a7a52bb44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24ac2afc0ba9c37f7a04c96e05bb7159
SHA1 13f383a8f97f0fd4a9be649c3d3305cf6fdae546
SHA256 94fb2a42df1f72b64ed3c5cef36e5c651fae1b5d6f989702c2175dac716d02a6
SHA512 7f00014159e5c432fdb744a1bbf9cd6ee20acba545ccde8c09526eaf9375fab8d7264e9a6dc956307435d88d21f5af3da8a5fc75547598430ee426c77d0ff410

memory/1584-502-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1312-503-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~DFBC8E15547DB57B0D.TMP

MD5 85b44a9773ba4e0df6892c6c6ce7da51
SHA1 897be9a2e21b24f697cb9f3d0b34e62294ea5873
SHA256 456b2e6f43c97dc71a4be326283c7d1b77652322dbff1d68290b42f4d7bfd9d2
SHA512 1f2f83f3e87a7c34ab8f683564dfd47d13b6f988a5165ce0e2b22d5cbc9d86c49891356cfeb9782282015a92f3236af7b2d343c7a598f44b4998a2be86318825

memory/1584-517-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1312-518-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1312-520-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/1312-519-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1312-522-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gzklzr.exe

MD5 2f0c1f93f38047e74921bfd00599c37a
SHA1 a052301f981f4ab4c8667b543e16bd407e23348b
SHA256 70d56bc08d401f0903a9421fa2434a82df7e72d30774fa21a51b822148c51cce
SHA512 fc962d66fd5d0ae865ad53bd5d914789e83304b1fb2cef3bbe32630ad0680a34faf580a8e10e646329a169e31cf98e1d42e02ab5a88cc333fa57f65779e1fc0f

memory/1312-531-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3028-532-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1312-534-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3028-535-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1312-537-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2732-539-0x0000000000360000-0x000000000038A000-memory.dmp

memory/2884-540-0x000000013F610000-0x000000013F708000-memory.dmp

memory/2884-541-0x000007FEF6930000-0x000007FEF6964000-memory.dmp

memory/2884-544-0x000007FEF6780000-0x000007FEF6797000-memory.dmp

memory/2884-543-0x000007FEF67A0000-0x000007FEF67B8000-memory.dmp

memory/2884-542-0x000007FEED3A0000-0x000007FEED656000-memory.dmp

memory/2884-545-0x000007FEF6760000-0x000007FEF6771000-memory.dmp

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

MD5 b34f8e4c385af6107873364f3079572c
SHA1 91bb7bfd0ee61b8a362baedff7af442ebf014f24
SHA256 e891d6ffb1b43524d5288a757f1562aec2a3d9cb2e06ed73d6aee82fa9f67de0
SHA512 460a3cd11cb2bb48391e3005f7e3a6003912639826aa7d68268ac42618eba10b930b9c1f8d5a35175f5325127529c757b1d6c310072da1f52432ce0186154855

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

MD5 9853c62a5f33b33d6edf3d512ce69037
SHA1 c14ae4b1c3923c4f6f788318dfb636e5e8d80210
SHA256 ef15967bf09fd04560562d05f5c89318296844feda8351e612690e6b5755e595
SHA512 ce8fde8229f05b6826eb439f1e9186f904ac97837f2f97b20654d11b14dd12cfab067741bed9c2fb2555c668993dfefddc864094c4430c2f300ba46aeddcea24

memory/3028-694-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

MD5 ef75ec94cb6bea1251a45ddcefb427ca
SHA1 7a1480688e0e210b7072047e06b617c941cf9ffb
SHA256 15cbcb9b02e41380a9174ae8e8ac94a98f6562d44bb3930541756b41537bd927
SHA512 599e833d5abcb2de193d20bfe7c44cd4a81ec367e0169fbd4005ce40ba05daeea527308c150a71fe5b7d32323b547fd28141f6dd7c8a46bf89dead581ce0efe4

C:\Users\Admin\AppData\Local\Temp\bmrfkt.exe

MD5 464d1821f7a15ad61364180aa38bf33b
SHA1 941ef8750a84b4cdfe1b5f9aefb862aa95276515
SHA256 cfb20098a65630d4488e23032169ea4564f92deeac6638a7607c19333e44dd65
SHA512 96cc0daa0dab9aed1c6f51c9033ae21e8c26f83002a8d77428e13b6cdee05968447c2fb2b76bcbaa984c8f87be03561c08d915fd7335ddcfeedb769e8a20acc0

memory/1312-721-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PCW3F7.xml

MD5 6168825440dcc34b6c6e904579b13bc1
SHA1 c69fb94feba5e6c0d9cb2b7421c1f1caa5a46112
SHA256 0ffbd8da85b2d7fdee6f1a9487582ca1b5e66c37b702ac070f49443e0a83c888
SHA512 a8e7bef4452ababb4bdda886c01fcbeda67ab4ae2a451d9bc19c7510305e424d734f45ffb3385bb2ac5abb8a5ffa645f4327b05a45e987b0b81c6745ac172a15

C:\Windows\Temp\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\DiagPackage.dll

MD5 e382ec1c184e7d7d6da1e0b3eacfa84b
SHA1 9a0d95eb339774874f4f0da35d10fd326438b56c
SHA256 786d95dc0d59089e14055385cce8765888f55236b5220fdfd28cf2d9b07e63ee
SHA512 019bcb4f41b5bc5853db2fa528ef126e839c5b0d0dc096dd441ba02d8c71e7913efd16b74aed93952ad2cc5422b151c12d3017fc22a65ae5ce2e7e1fc72a396c

C:\Windows\Temp\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\en-US\DiagPackage.dll.mui

MD5 526bcf713fe4662e9f8a245a3a57048f
SHA1 cf0593c3a973495c395bbce779aef8764719abf7
SHA256 c8190f45d62c5c03013ffc66b3f9bf60f52a32464fa271d2fad5fd10432da606
SHA512 df7e93617461c2fd25b5b684311126e66b7cf9f1ecfbf4c8a944f65fb2c904194ec635a9c7b962d4583ea77b0312435c7dc1b5ecbcb1fb3a5a74fc1eb2c21d04

C:\Windows\TEMP\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\TS_ProgramCompatibilityWizard.ps1

MD5 46e22c2582b54be56d80d7a79fec9bb5
SHA1 604fac637a35f60f5c89d1367c695feb68255ccd
SHA256 459af2960b08e848573d45a7350223657adb2115f24a3c37e69ffe61dea647f9
SHA512 a9a24df3fb391738405d2ea32cd3ef8657d8d00d7366858a39c624dc9ebbf0b64d2817355d41eed6ad3cc7703d264d2921c8a2590ff95601d89f3cca72ba786f

C:\Windows\TEMP\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\en-US\CL_LocalizationData.psd1

MD5 5e03d8afb0fae97904a14d6b2d1cac9a
SHA1 78f401b1944ed92965d7a48dba036413688f949a
SHA256 538a5f22a12b0be59a7a83e0381c6ff661932f07643a87c2d3a542eade741671
SHA512 884c0494728dd9f1a4fc8092152b2253350304b745d6fc1e4b02c9cd2366bc8c92a169c549cd77bcd67e5e2e515d89d46c1d11de5eeb500d531d87839365cd19

\??\c:\Users\Admin\AppData\Local\Temp\how1fh96.cmdline

MD5 3099d4f0b88bfbda04824384cac95c92
SHA1 f6318b8168ac2d2fed9fc1d03653e299935bda6a
SHA256 e41cca6781453970de1beabac8f33e8a6ce28573d02b2d44a0aa485ed45408f4
SHA512 8e709762289232a810973b7d91e93d760e4b62be1444c7cd003690691dbd5627dfa5bb5c5ebd0a93b64139e2bdbd4741f8cfa6111e822758e797d6b07db4af3c

\??\c:\Users\Admin\AppData\Local\Temp\how1fh96.0.cs

MD5 b0dc59b099ca7c12fb8ad72d3c50c82c
SHA1 f19e28849921cf51e322824c5a8ae8bc00014cd1
SHA256 e75eaaa3d7908fb05000c0a957048d20091a0d2575e87d091d11cdb3a5b562e5
SHA512 852c937d36afe3b6df5826b9f1877d511259e2a0ffcdf229c8c655ced7346b36e526928537386121e3ecbc8b1285144dabe3b760db1873cb3baaf70a0f21c364

C:\Users\Admin\AppData\Local\Temp\RES742.tmp

MD5 fdb27e1e32093f063454b5eac4b50148
SHA1 9c1a03f30ac2cadb9e88ebd25e468b497a5f4112
SHA256 24a80eb47cc6027e685a37123c26924776c2788c6205496e3c2e6b00e885084d
SHA512 e8090cee776873096256397f7f5ed517d5e072d8f98708ff799496cd2a12701cb9cbe772d049a34e4992e5c0a6aae60accb18a1222d380ee8d8e8ca3154fc4cd

\??\c:\Users\Admin\AppData\Local\Temp\CSC741.tmp

MD5 311a4a4f5b38c9094ae35c9192a03f86
SHA1 983a51f9199bc48e9ce3b859f465ddf6408b26ef
SHA256 4acabd74823b16ed607cf7364fcc2c7847a3986d3fcc380fe018d4f1f65602fe
SHA512 c4d0c53f78012dc2f7c3d40f1198b30d688d9240f17996a08541a33be7d85b29e7146d1edc4e6dec83551ec928937213d1a081ae599ef13255a0a655ab92d08c

C:\Users\Admin\AppData\Local\Temp\how1fh96.dll

MD5 5e27546c9aaeae42fbad909ccbcbf45a
SHA1 a98c5188fd9774b3aee2991bae460bf63cf9cca2
SHA256 57dcbe01ac150028243a64a7c36ec492ae3f39d3652bf6a74333dad85a455ec5
SHA512 61abd7306537e853479094db04f6821553314ec7714851d73d3e984ed9ad4f6106b7026ef1607a919a2a452b78a5fb44bc88fa32760e250810b4f4dcad84656f

\??\c:\Users\Admin\AppData\Local\Temp\tt7owjfx.0.cs

MD5 3880de647b10555a534f34d5071fe461
SHA1 38b108ee6ea0f177b5dd52343e2ed74ca6134ca1
SHA256 f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e
SHA512 2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

\??\c:\Users\Admin\AppData\Local\Temp\tt7owjfx.cmdline

MD5 cdf96e383da9bb3225834c3922f503c3
SHA1 39256686059ca00b004e9e422f11ebba8bf0b272
SHA256 babe2f250b831f3f182b9817f30978a0cf4a43f10e084055d7b82972a2f7b88c
SHA512 bf7d068ee79178d5d54610d84b57e04cf0df12dff0b206ea109568f74a913b468ac412b71f67467889d644ec138df86ff16178130f6d99cd0e2cb61bf465162a

C:\Users\Admin\AppData\Local\Temp\how1fh96.pdb

MD5 d3fa2486f2e74d214883dff0a0be3c53
SHA1 0630776393ac9874581fb54355b965de6a3a0676
SHA256 a70e728e65060febfaf21c8c974228adc98e8ff24b7c1239f79614b2a5cf8787
SHA512 7ddf200b3adc31b844a1134619d0ef7938014ff7caf3e3d853878fe5c5137e15b80326d922e86e4a0da7f6173c835fc18567c3de6c6c61ff0b2cb4fe942fde8e

memory/828-838-0x00000000021D0000-0x00000000021D8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC780.tmp

MD5 68aa6e3c982102d04faccde4237fa00c
SHA1 abad59cfb75a05bf4d3123e19d7b0efb0e9a2d5c
SHA256 aebf83eb816beb17ce85497d937ab8d4e5eb64346e7359a706bfbc80d4de830d
SHA512 9675dace4d89a88e6989474eb4a4eb78a6ebfd28e60ba55297ab567fdb4217b4b8b009e5ee9f0083380f7d957ca91345dfad378e07f2d270611a8246d99bdc8a

C:\Users\Admin\AppData\Local\Temp\RES790.tmp

MD5 1913b231befaea2db8094a4d70bd89c5
SHA1 60ef639f20ef29c76e1bf68430305db3e381bd19
SHA256 ec2e3c808a2048e56b6285da45d1a1d8a4312167cd01a8d458e06432b7efa496
SHA512 16f58c74dc7cc8a7e6dc2bf7920b512ebffe064ac992f3ab32cb397d1de7f52903c6bcb69faa1589002589b02d0a92fec87541a81f02d0f3a8216622df2dd47c

C:\Users\Admin\AppData\Local\Temp\tt7owjfx.pdb

MD5 69bd2c11dc42a6b4f139d4440fed8eb5
SHA1 62711306e20755bc89074674f514c5a454152a07
SHA256 0302303f12db9e0841430b04b6f1028ea19aa48cf9874e069952013703b491fe
SHA512 83e6e10d5e0c5da60d9e1943eb9b5e1ca122513f7754d98a911050ad75ec648f0ecd036667af1af9e481480ea784875b18d4b979552ef968b160428487cf8538

C:\Users\Admin\AppData\Local\Temp\tt7owjfx.dll

MD5 73c211f4c6a420979322bab3a914444c
SHA1 8ebfa6b260e855f6b985aeffb7cb85c39db0ad4f
SHA256 59d8f22556d99d235a063e3fd95360a7ad17cd137643c0d98864caecab1ba0e4
SHA512 666977720f267b86112f33855ea331a9cb4487ed46f5ed36d062412148745ad2c0d95f0d13abbf4626e4a72555d9a79141d4926602443b990063d8bf77c4f73a

memory/828-854-0x00000000021E0000-0x00000000021E8000-memory.dmp

C:\Windows\TEMP\SDIAG_7fe5e8f1-95a2-44b0-af7e-fcd19e1e46fa\RS_ProgramCompatibilityWizard.ps1

MD5 367fe5f4c6db87e1600f46687e5aac54
SHA1 9807dc03ea1ecf6ab12f36feec43e2a635ebe145
SHA256 177625ac9b07bbffcbbb47101c2d1121f47b03b42226861bfd7974b9cebc0c98
SHA512 694e1a2c2c508aa6105872d867981431ef895834703ab498c2483630a97a46cbc1ecff9a62857fbebeb85cf2ef9c4dc51e4b6f20cf74c65c1b67f68acabfa303

\??\c:\Users\Admin\AppData\Local\Temp\54s7wm_q.0.cs

MD5 252f38959fe104203e386334ad7affc2
SHA1 2c8d8a8f2952d79afbb9f1c39407aed139a6ca60
SHA256 32d6b5a428a39416d88b77bcb7569c68ece04d78805ee8200275ba37b4648216
SHA512 7a7cb397908f0b68255f44d13b56f24b98566445f48f609c04093e9f319b3b1e06df22a5a0783faa59c12e221d3597a8a950d1c10f5a3502ddb091ebdd362421

\??\c:\Users\Admin\AppData\Local\Temp\54s7wm_q.cmdline

MD5 ef1d03c21213f300b30b4465795e6870
SHA1 f4dfa1f39c4d687dab226c3d21a22280a230f381
SHA256 e117c7dc48ceab9962459e61618b5812a5c6ce45497f01829cc7701c4338b82c
SHA512 b806e53f232c2c310c5ef781cac7f1a9ae13cd7799c3390bb430d02848fbf01a9af437ab27fdbb7fcc330b65eafba06f8c81787742bba9418b1a30f8f4d5bb59

C:\Users\Admin\AppData\Local\Temp\RES82C.tmp

MD5 396c68d152adf245a367ec03c295b979
SHA1 132fcca384815bd6421b71524f174716ee56e837
SHA256 0794b80e2ee1e89bf43fe70f017c2fcf68c0ca5ef97af9042baa77eb016d852c
SHA512 0356e48d4f39a4b4669189ef4098903909b229c477a9cc2c665da1906071a1209e1c247b1afd17bf7d5fca672b0acfa5a750e227e5ee38b1cb151f58a6b9fcd5

\??\c:\Users\Admin\AppData\Local\Temp\CSC81C.tmp

MD5 558088e3d31dee7f0c1bb28b4cc1ad6f
SHA1 4d213362f2665ce3ac66a7d6f9bace6f5049eb49
SHA256 aca0f2e1f90fd67cdde48be7f573d20ae0cd00541f931b894d9cbd1086eed385
SHA512 b8517646e9fd8982e65d9a96b81b9adf6cba91fa7040e7e71be07eea83a00c782ae52200fea3200b4742c0371aadee07502dc9476cd8e6f69cb7fef1958f4fd3

C:\Users\Admin\AppData\Local\Temp\54s7wm_q.dll

MD5 d196c51bc80b2b6a1b001af9fade340e
SHA1 4123ad5b99248afde39365f73b53203226b5b513
SHA256 262203ba6008cb8ddb879760e9d0f74f950f0b8f3deecffad5e1c7bde1c7973f
SHA512 7f76b4ae8c1feaaf1c59121d259ea870b14c38f4f9ea16bb190a5c88dd53c6bff4b54d683593c97ff3993989fead289c56f5db1df384a433ac2745cbf420d19c

C:\Users\Admin\AppData\Local\Temp\54s7wm_q.pdb

MD5 e608b117ca442382dda1c379546f19f6
SHA1 85ae3a36e7074db0e9175227722d5fad08239446
SHA256 53fddb85408dbc7f931eafead07823fec604e9611b27af0ab0e97a8ad0518cb6
SHA512 62b4128a21eb7d9e55c50722e87d2e7733f423e56a72c0427185028e23c1ec8840cc8105d8b727b538b87bed23e1acadf2a76461929b731100c4835a751e803e

memory/828-871-0x0000000002380000-0x0000000002388000-memory.dmp

memory/2688-879-0x000000013F610000-0x000000013F708000-memory.dmp

memory/2688-888-0x000007FEF2620000-0x000007FEF2631000-memory.dmp

memory/2688-887-0x000007FEF2640000-0x000007FEF265D000-memory.dmp

memory/2688-886-0x000007FEF2660000-0x000007FEF2671000-memory.dmp

memory/2688-891-0x000007FEF2560000-0x000007FEF25A1000-memory.dmp

memory/2688-889-0x000007FEED190000-0x000007FEED39B000-memory.dmp

memory/2688-890-0x000007FEF25B0000-0x000007FEF2617000-memory.dmp

memory/2688-885-0x000007FEF6680000-0x000007FEF6697000-memory.dmp

memory/2688-884-0x000007FEF6760000-0x000007FEF6771000-memory.dmp

memory/2688-883-0x000007FEF6780000-0x000007FEF6797000-memory.dmp

memory/2688-882-0x000007FEF67A0000-0x000007FEF67B8000-memory.dmp

memory/2688-881-0x000007FEED3A0000-0x000007FEED656000-memory.dmp

memory/2688-880-0x000007FEF6930000-0x000007FEF6964000-memory.dmp

memory/2688-893-0x000007FEF2530000-0x000007FEF2551000-memory.dmp

memory/2688-892-0x000007FEEC0E0000-0x000007FEED190000-memory.dmp

memory/2688-894-0x000007FEF2510000-0x000007FEF2528000-memory.dmp

memory/2688-898-0x000007FEF2490000-0x000007FEF24AB000-memory.dmp

memory/2688-902-0x000007FEEFBE0000-0x000007FEEFC5C000-memory.dmp

memory/2688-901-0x000007FEEFC60000-0x000007FEEFC90000-memory.dmp

memory/2688-900-0x000007FEEFC90000-0x000007FEEFCA8000-memory.dmp

memory/2688-899-0x000007FEEFCB0000-0x000007FEEFCC1000-memory.dmp

memory/2688-904-0x000007FEEFB00000-0x000007FEEFB11000-memory.dmp

memory/2688-905-0x000007FEEC080000-0x000007FEEC0D7000-memory.dmp

memory/2688-903-0x000007FEEFB20000-0x000007FEEFB37000-memory.dmp

memory/2688-897-0x000007FEF24B0000-0x000007FEF24C1000-memory.dmp

memory/2688-908-0x000007FEEF9A0000-0x000007FEEF9B8000-memory.dmp

memory/2688-907-0x000007FEEC050000-0x000007FEEC074000-memory.dmp

memory/2688-906-0x000007FEEE530000-0x000007FEEE558000-memory.dmp

memory/2688-896-0x000007FEF24D0000-0x000007FEF24E1000-memory.dmp

memory/2688-895-0x000007FEF24F0000-0x000007FEF2501000-memory.dmp

memory/2688-910-0x000007FEEC000000-0x000007FEEC011000-memory.dmp

memory/2688-909-0x000007FEEC020000-0x000007FEEC043000-memory.dmp

memory/3028-911-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1312-913-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\thpfoa.exe

MD5 cdc5de14efb4fb2c0bae2db79b88c054
SHA1 e5d7c97d11a2d5803c670bb06596eaa93551bd99
SHA256 9ef6728c8a51744786ab767b921f50484820c4a4a92792e57884024b1a04a4e8
SHA512 e528d0d8eae7b22daea61a1074992101b2cac172d036904fb6766c8d48d53983d59aae4dc364f40b6fbddff727209e336c8547313502f0ed180c7943b171c94e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5aaadd86a0b7c51ad2a40a8b82ba061b
SHA1 a6a9875a4c1f118b17a12fad1cc290d430e90f1c
SHA256 f416fe4aa3bb8eaa10659ec94f0b74f9787d55384460756f5673d1acb4dda1eb
SHA512 2ca6d79dccc8c8c06d82b08a9c2b7ace95a0e54fd671c72a46122b24799313c6ad233f0f266389fed6575746adb41fd3048360102577ce779a2c98c49a90eaaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4e593a07e37bb42d4cca08800f384f9
SHA1 36880dcbf1a7a491688c2d0d1979dc75123b2f91
SHA256 640c2c2df4d4b555214792919082bc20ce375e7a4303d1e7d984fbf8883cd958
SHA512 153a8aa2f718250a8dd2e323836870ddd32ff188b29b9992bffc2b1d94a8e6bbcba94be2ab5febbc8b7d1bc2b0c503a0a6ba40c1f082a696902d5f1f1f67bc18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdb4bfd11aa6b5c57bf8cc92ceb35e15
SHA1 d2acabaceb797eeb3ff144440300aea31073deb9
SHA256 8d832a9f0492967d6e630f6fa94edf683ab994ecce02b4dcaf7e014e1701e4f5
SHA512 5fe9fbc79278fbac996f6e4ebc5c5b2376f15158a2fee04b4185be099f1c98262a71248438ce0ffb729a62e2a82a7caea9e5bdf020c5eba1be67dc160f4dbfda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d25fb6bc4fa2d000b5b3c18a0e7e5ee
SHA1 2a5a2d9d8f9910461d093abe7fbecd6741a34b3b
SHA256 60bc44af09ffa101d511ca5f053d49ad7c9298e7201f8696cbb412e3a0ff8ba6
SHA512 12490365dc7559eedfd9128fba3194a3690375b736c3ef62e0fb36a2f00b529c018ce14008436ed6a5957f8e9963fab977938d2be2dc23a36ffeb14db594a794

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b0e9a11600e86830bb148adfc9c6fe9
SHA1 bfbe98f8eaf91dcd49e9341d91b94e98998d42ba
SHA256 dd024d95533d00e7ed804e9fe60e3aae92ccedaf23a03290034a1ccf003db5e6
SHA512 0fda71b757669a15a4e9da2907afac2f23ff5b9fdbf5572f52e7a52bbe83300e073416569d106a1d2fe901ec8f6888ce96dfd49567518c37aa8e1e81aca0fcda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f4d2320f3e4cdd26c27387a9febd1fd
SHA1 a02125b2ba3dd005aba7ca1222b5de29a0777a86
SHA256 6952a12310ae47c4ebfbc3f1902eeb07f341a31040cf7726f7f5c3669b176f35
SHA512 048a18c2eccc07c401bc01069c2a9f421bbf2d63b3384a852949c3f87cf2514b188e4126e77bd422af6cc8c14d40c2fd8b680216df1ce8845445b2114916a18b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c65158032e71097b72c612be9d97ae3c
SHA1 bdf404fa7e2ee31b397e08f171ccfc788e45aee3
SHA256 f70a9bf1647acc24110e3c6e8cf0dd0414d3cf72657f35f98e0c218bb08f69ee
SHA512 632e629ddacf2ba6cd0a93a99fd40a461e40533fb499232f13c66d060a94861a59ce73be655ab7165f7ecb57ae5387fc3d7ef229ffb3457e6be2d084d29bb472

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea84c9b3e5214276a80548d68eb4339d
SHA1 47b8f2718f89b15741a1e6fd9e9465ba5e1caba5
SHA256 8fc64071e73c8b7f858968b31ba54925edac9ebe138e835f9f081ab53ad4fa9f
SHA512 66ab70a79391d8993b8d0eb09836d2ec755ee112af37e2c2da07a4b66a2830a871d086f71fd7d1b0a98eab9944f1f43af14bf0457bb0a5b36b399e6addf6d9ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be70bd4205e3f906931f841a509f3d06
SHA1 0ba100b11b50db4aa118289090e9c764c94858de
SHA256 139825ba23f8de61a37505ae4f43c85da84a72ef842ed923669ba8958293294e
SHA512 dfb9a3263263930a74f728448ae758e6d7bde75ee7ed5fb2c661572b93e791ddb2903f9aac7c6d4ef026f544ad2fea568aa1d0d09ca2d05e6cb5eb92c1ad43a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73b145553c80d94b415d7d8664381c57
SHA1 b598875276cf4e12cf82a7ab4dcfcad238b3b514
SHA256 4d07b9b394615a5a6f1b5c874882482291bead3aff6b82056440ca260b0c1b0e
SHA512 bc7f0b818e35ffa36691ed829a2acf3729c355710d31e4a4c10090179557bdb86d2eeeb3d6820b4f20701ed7fe73857686c20194d7c97e7344113dd77bcbc316

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 21:57

Reported

2024-05-26 22:00

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\schtasks.exe
PID 3908 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe

"C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ЗАебала.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ЗАебала.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
N/A 127.0.0.1:53750 tcp
US 8.8.8.8:53 involved-delete.gl.at.ply.gg udp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3908-0-0x00007FFC74863000-0x00007FFC74865000-memory.dmp

memory/3908-1-0x00000000009F0000-0x0000000000A1A000-memory.dmp

memory/3908-2-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

memory/2608-3-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n43wxv4f.zjn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2608-9-0x0000021CDFD50000-0x0000021CDFD72000-memory.dmp

memory/2608-11-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

memory/2608-15-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

memory/2608-18-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c08aea9c78561a5f00398a723fdf2925
SHA1 2c880cbb5d02169a86bb9517ce2a0184cb177c6e
SHA256 63d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7
SHA512 d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c

memory/3908-57-0x00007FFC74863000-0x00007FFC74865000-memory.dmp

memory/3908-58-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 302a161addf4cad7c6f078b7c5ad916a
SHA1 01450a35f72a6db951fb07fce749508f8aafe153
SHA256 be98f5ab32e873468f2ba2fb45215468b0157f7fe894d9af98313444ec945ef6
SHA512 0c60134a2189554e6d47ef0e4845fe2d661b1d7a021bd530b8a323a2496fa7958dad31feb0022348b9c655a4aac4a9a67b13a1adafcac454a4346fa50796d8bd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1