Malware Analysis Report

2024-11-13 18:50

Sample ID 240712-xf75tsxhjh
Target cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe
SHA256 cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0
Tags
remcos nsppd evasion execution persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0

Threat Level: Known bad

The file cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe was found to be: Known bad.

Malicious Activity Summary

remcos nsppd evasion execution persistence rat

Remcos

Command and Scripting Interpreter: PowerShell

Disables Task Manager via registry modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 18:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 18:48

Reported

2024-07-12 18:51

Platform

win7-20240708-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe"

Signatures

Remcos

rat remcos

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\cchn\\FHVNLE~1.EXE c:\\cchn\\ncjehr.icm" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MUJ\logs.dat C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1732 set thread context of 992 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe C:\Windows\SysWOW64\WScript.exe
PID 2200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe C:\Windows\SysWOW64\WScript.exe
PID 2200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe C:\Windows\SysWOW64\WScript.exe
PID 2200 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe C:\Windows\SysWOW64\WScript.exe
PID 2412 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2920 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2920 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2920 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2920 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2908 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2908 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2908 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2920 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
PID 2920 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
PID 2920 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
PID 2920 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
PID 1732 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 2956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 2956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 2956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 2956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe

"C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\tckc.vbe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c fhvnleke.dat ncjehr.icm

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat

fhvnleke.dat ncjehr.icm

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "c:\cchn\FHVNLE~1.EXE c:\cchn\ncjehr.icm"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "c:\cchn\FHVNLE~1.EXE c:\cchn\ncjehr.icm"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
US 75.127.7.188:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 75.127.7.188:2404 tcp
US 75.127.7.188:2404 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tckc.vbe

MD5 95a4c0c1755c731cb1175e9b0139702c
SHA1 db9ae17cf73c51ed43ed1b57cae96a5f837633ed
SHA256 7419a058ffe3a840555d3aa05b3f7520b5dbb9f6a2e81493e17d8868a9bde5dc
SHA512 5a698c0e0912635e180338e2a9314fc5f6788996e4bc6476cbdd62a7e3b008d3ff8b1588acd8ec9390aa00e6544b81ac19f5976467bcc0dd3589ea4cb676c409

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat

MD5 31db1d81c80c66640b773c535cdfa762
SHA1 9cfffe3e21ab746e18db1447bf339d1af2118570
SHA256 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211
SHA512 c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xkurnq.msc

MD5 1633f32568e3bde537bba6dd99671ceb
SHA1 97aceb61c2952dae60ec37186be2888db3e031a7
SHA256 10b680536b0109746d03127b9d6894282f773a0d5a82578f7b1455943cb28ce7
SHA512 f198ef173246445d1ba6d28c65d2b979f20eec6ee869715fe1a4de6823c93ba7a10c1ffa66b5182ca1a93a5b04f7e75c1146666263aeeaae97da43eb9c906a46

C:\Users\Admin\AppData\Local\Temp\RarSFX0\foshgpdw.pdf

MD5 e7135d10d102e4c8325c21ee85f04e9c
SHA1 a9c53ac5887e4944de235b962c162253434f0a9b
SHA256 cb04bf39ffe4ecb053e550a69f61b123c525d69eed9a332e0519cfd40bcad749
SHA512 c9a15bfbf142972e29299360f814269be33185d269c3b361af52d14daa2b47d762486753c1b011f85ce2a3576bb751feab4ee0c70092dbb25248b7fc55641fe6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fjvvkggf.dll

MD5 ae6c81318c935f5f2686d77127b36ffb
SHA1 09e6b467d2d85480d4e71368b18c7b61bcfb1edf
SHA256 2659700b56e78ea7ccde71822f140776d9b6b76bffac44a1dc3cf1b1957a3ecc
SHA512 8d46b0a42730931d86cd1a7f60dbeda615cc2c44b18ee041981d949762f09c5de7a8194a8a9b557c206943f5aaab5ec600b9d6ca6deb149d1e2d632117b8f62a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\clkodnsw.txt

MD5 fe17ec9b0ddcf4b1b9ed816909fab4b3
SHA1 01548306eca2a55b2e209dfbd9229a96a7d77837
SHA256 56d2c0a423d0e25c366401f67b5b363699b06561f7de51dcfc86181f3fdd571c
SHA512 082935074c4b3819faab75c811791621c0d3bf14785d2d7d3c08f04bdabf12012b1ac7f2c51ae529f2a09afb0d0dd8e1211934491b4086285608c6511f991acd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\atjl.mp2

MD5 d6349b47a7d1853aef2021247111e4ce
SHA1 7de49d41b73f2110f16de90c6cc4adb78c3ecff7
SHA256 0b653b877eb55386f30313107489de7f15090e51589afaf7e5504e11d3269329
SHA512 8cc6a5acd15ab747406366f6c0127e158e10ae7687352c25b4c5de53077f0d658263054915a843a75ba40497e97edc6616030b4dd05e14ab7afa935356e90762

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ftsxtpkuci.msc

MD5 c75006d243b6f10d50120f9a5f7b4ac0
SHA1 47abf77308a99ff9f67aeee6070080e7fb2f5df7
SHA256 8bd5d72f4c378fc7b185c4d355c5449c0e9e5b0a88d33449bfb6ac321e7fa6d4
SHA512 3b844cd83ed2fff71debd865631f78a3f3f781cd58c419cac005829c93af42e31dc91b67c7901f691a47434f3094329577e9c619b091b4a5fa4c181e676f87d0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaixlatqi.docx

MD5 21ea8d814c36e64201c6e009bd6285ac
SHA1 f39c8795f6d68b13f967820f8ee66bd385ef8d95
SHA256 a97c5ff9fbc31c7ddc409645bf091924daa06182d8370285d52cbe2eaf2d612e
SHA512 a39ef08a6761cc4370661ff8770110237321467bfc9eddf6749f24d6aec4a3b5a62721023ac20cb3f258df460117147b63661d24d543df697708ecab56c807fe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hmsaf.3gp

MD5 d2ad3df96aa34af12040e7eb23e19602
SHA1 b0af79b8a50bcc572405dd500a8bb76315f136e8
SHA256 8b42f41fa9dcb635a294d1692fa514d6f732ae6298816f9ada27a987329c22ba
SHA512 a66295fdbc6a92c72a1d97aab91e5f9d8e9fe228e81bb5fa9271d44920975de5adf460b223b92eeb4cb02cd9c6f6e8e787f1cca508cb645a8071debdc04b1935

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gjgoq.bmp

MD5 a021329fdd5956e6dca8fb89147e0d00
SHA1 664c32ed8ee46ba01ba62996189b7c4cae84b377
SHA256 568b93b08346a96b14d8b8b10e7834385359b1ce77353f6c411a5a6f4685fbe0
SHA512 70ea6be254c2a5d051b90df8886af12fdaf433638c22dd1244ce2ed293a0b7ff63ffd5f8e214f3831b50a9e0acf41d831fadf915923e1573150c1a1847afbfa7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msxm.mp3

MD5 c203df8c58dcc521ff1a5959033a896c
SHA1 5e34d499a60594c50c9dba5f88e981306a02cac8
SHA256 8b9dba34f2c45187b68842a547f710f019045adee53236a40ed7b74e88a80d59
SHA512 034e45d51e51d95022d1468d0211fd9a7559fd14eefb5c70857f97ab9331678fd51fa9c3200481949948552dceb1c77b8e81404418da1a3e45532893fa0ee509

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mspa.msc

MD5 fe1daa6d203273dd57d3b71fb34e62c4
SHA1 80f58b75db83ffbb39ebc1f508eab3d2248c2581
SHA256 6812e247cc4997dc3210c250c560e67c08bfbc591a45cc7b523f042d82a3a66b
SHA512 d405ce7b934899ac8d87fa2f60fdbe17d9406c96e55ce2278d3aeb8a6adeedf80cf1eb75e16df08102731d61139562ffc1479c2c46260449baf3e54b62d97635

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lawlraea.jpg

MD5 0ea283e51a26ebee9b5b0ce3501a0f78
SHA1 fe521bec054a4558cfa57b0957a8f443c4bc89b8
SHA256 1ddc3c1bbbb3d7555af19b1adcbef741e8a2405c0aaaa7facb1f70ed25501de6
SHA512 18bbf40136dcf4d24125e7c540d715195eaffeed892e880d880cdebf74124c2bc4fcd9daf517f3d6eba4e7131e88cff64fd4d039dbe6b2989a2ff78c4db627c6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\kswn.xl

MD5 bb3af83d198af53d8e8865c4cf90a634
SHA1 0a4c316542b0ac348b28bbd079e754aa68ce13bc
SHA256 dcba54a098d1f6e337532205b849ab27b16401a73bd0f1c82f394333f94b8c32
SHA512 226cfd639707da01b2e8fd81cd0b9dc16f107decdf91ea80f2845dbc69e39eec6107faa8ff88a3125185eb6aeb85402de4dc4c198e06e020ae89811e05aaffb2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\navdn.jpg

MD5 d481f50cac12130673df83534e7ec743
SHA1 e255c5d9bf9545466dcd448bc3e2bfd018caf4d6
SHA256 c097a0919eb4b37348f8ea42bae1dd0bde9ae879402a170a668bb78ca8fe262d
SHA512 cf70a6941f764205aee926fb7edadf0f8b41f63d4fcd2b5a20e8042294a7d00371abd7e50f85dc237802cb51292ee144bc61c0f308ce4ca3c4ff4ee1884a780e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oxqg.exe

MD5 5e9707562e9a88352c732e9a6049d486
SHA1 e4593f2ad0795b6edda90d60f09a6fc481993e65
SHA256 8ed8b5c171af40b35876c889ee07804de0d2c5d44f2a0755e151b39fc03b1cf2
SHA512 b0749ce0c5cafb706208525c5b81c291306139ffa1608d4c714c0344a6aaf7d217dea2c583d027f56dcfa5364814fd30e7a3899409d2c938b851fdde7652d078

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oiswfne.icm

MD5 ccfc02352a97fc37e2e8a7868a766a17
SHA1 0971d1638faf9856340c7b276d3d80de18fe552f
SHA256 638f8a50aa09868ac19addbeb095ef3aa0e062d6dff78a89ee1605a5342016eb
SHA512 b72a8c92eb51b6e05deebef90acd572ceaa6422894d898a162d68fcaee411a8bac780f8e60a74a5fccf31f1bc4db8680ce3863f8e4d9314118014440a26f3940

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxwrjjkj.dat

MD5 e411d1e00aa8304add2744e2b3b03eaa
SHA1 c6e68e4cff15d70a9db1e26720ad45f3dc4e7d82
SHA256 4b3c8816f5c634be27bb37247ca614b886c8a0d563093c22aced3b32c19ba728
SHA512 0102902a2e47b9fe5d7f1b36547589406127d52e547980353d885b366cf47800c0bd4ab1bf4f94cc490f07a65ad2d3ebaa073dc031fd91992bfa6b82bc4e5f2d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxbqmg.jpg

MD5 12f7ad173f9c2bc52fbb0be142f4971f
SHA1 6b83d523dd2a17620aca2f44723999ed39e27ffe
SHA256 2c4a9138cabc51873812fb663b1b86c2d2bdd2a69558cd03d5bf896b4ebbc973
SHA512 854970a446594f932a2a021406de294f738be3baf984add2ce095b868fd27a664d579d17c9f904314aecdf8f247e9f2c6184414e186de9ec603bb4d3dccf5915

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xnul.ppt

MD5 364ca7b798b58524adf7ceac90967434
SHA1 c541fb4a61bb3420fbea6dbb27a2546e62d80d83
SHA256 3dba637b888d739ddd2bdb4c1363d1630517e1395514dc3349a1ed6d25548d80
SHA512 067a6ee4031eacb425657c1e3ce688e0be12ed44097f67e2126c6da42603b090beedd18a78090d195d30538069e23e53940618f18da5635b7715a35dfc13df31

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xkurnq.msc

MD5 faa2749611de93321011355f75ced356
SHA1 572b290782a0e604758e9511c3725192a696c7a3
SHA256 1f000264821a46020be193ea0c57ef929c5f1fa198202449926de417502354fc
SHA512 22a2cd9e0f37ecbae70bcfc1bcfb9bb9bedcf866530a50463b42df5f13b0ad08a7c5e57cfe227686559ac474adc2d2711f6971b37bf47d5486c0bf441a23aae1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wsssookr.hem

MD5 56c1b41b3322dd4018d24f1e38d6b126
SHA1 ec063537db26e581b1a6ec632f83fa3686b832c5
SHA256 d6459e8b70a13dfc105eabfbc5512c60dc85f8f63207b2f4e451980aa3a44b4b
SHA512 c7d1482ae63a21924234e88436e1f24ba26604b74b23c53728e57356799254affb26656772a1b3e90e1801a17096d963baf3f1bee137d5fe518deffcd8e68cd2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wqhswhin.pdf

MD5 60a86df180b60fe4c9345c495dabc1de
SHA1 ec012087ee69fe04169270f1144ba89d243a0195
SHA256 2936720b255a930cf63e6772e73dee254cda0fb6a3c396b699d4ad495378e5b9
SHA512 4b197d8b2e245eb9786356dfca37e464237a565afed9b0317c71305121b962dfbd6060d484531656563f97ec90a75cb7785b741d222c3eb1688e2c9b5719e45d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wiholsrnv.xl

MD5 e63e624e580570f42405239a7431e1f9
SHA1 1a6cf95f8c7704f7b48268efd337e0ebaeb44821
SHA256 08519611ecc95be2e68a746a3aa8a333bfb5c3a7e1b3dc611fdb65b732af2d37
SHA512 e79a3b20c33b4f9eb3a60b31d33d8f393d633be4fce715bfd4de06012af6ea7479a00fe22bd89222dffe0d7dc2963e498547dbf44f5ca6d5dccfc3e430c23dd3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\toafuvgmcu.txt

MD5 b1e6cacd5466cf31ac951174d70b65ed
SHA1 ab67c8977319316e3b37ab3cc02aa414ff1ffe97
SHA256 614828ba79c603e81e853d285147023591d8c31bb4cf132d37cbd860f5aa5d43
SHA512 5215af4f4a7fede74e0f8620b287d2506af72d080ee30c6c61220b54eb8ce323fb2f6cc3d718a91c5c6d34d92f357e51a40647af417a1fd7a50b754faf8a6cb3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sxdhjeq.msc

MD5 66eb9113d939530be9abe06b8d46edaa
SHA1 2d60c01ba8eb080b8dbd9fe6694727da1db21a9a
SHA256 5b7609ba739729b94486274f866be66ecd21de47bd56614e23593b3f54e02ff4
SHA512 9b2b6125c1311c27cf898c2e4a01eb36979e15cb330ac4a857c352b3952a51a8f47be9c6ec8114d71ae083c07145e58541c9eeef13ecd20eb8bbdfe2fe0881ff

C:\Users\Admin\AppData\Local\Temp\RarSFX0\soktlaq.msc

MD5 d22c26946baeef2ec95cdae7497bad66
SHA1 538779f3e21d10e5c874713a02985f871b8a3637
SHA256 3e32f48ab7ce46785a2ff2fae2dadc6084a32f62965c4fc3f712b0d781d6ee1a
SHA512 5c7068d5c66516977c657fdc9cd6d3e9697e2f9454acdc20d3eca88542238222752f550c55503682d1d036ef702696fed326a6c9152917b31a43477931ac2879

C:\Users\Admin\AppData\Local\Temp\RarSFX0\roqwnfmf.dat

MD5 9c6922f01aa1b9c595a5800d9af41e92
SHA1 135a94d51b1b818319e35132f3dee3fd70c0d401
SHA256 367fdf18a6a5f193f9a9c38acc5a154b33d7372b868add997e912449b28bc22d
SHA512 5c941ce2da8f57a0115bf98bf38d6a62688cbfc1970ae9ffa55801de9e05934d465c8cf079b3b2e5ec9f84465194dd85cf3d17f02771ef43346fc00e64cbbe68

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rldhm.pdf

MD5 976e46ae2b703fc8693fe13ec2ccb752
SHA1 ec7245488a7c844ee829627c1289c62361f215bc
SHA256 7c71c2ff4869230355138e445d96f892d30a71fef346dbf1d2607315828353ed
SHA512 d25ba5e4b41020b6255a9b19cb07786e584dd9a2e231a6d06533c1a7fae31ffeb5ba4be9fbe8ea03aacec4a8f3721611a1bf13be2f0662e5a62471746f2fd09d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\peauqq.docx

MD5 d11c4e5e6ade3320daa901652a64855b
SHA1 9c608291994144d3d90a92aff8055d6ab2b414c5
SHA256 05716bd97f70d96b2a1d8ad10c4a791020daa91e639dee0422d2030169288a51
SHA512 bd222a7ec2a54ec11368d36efc313c23e1000c8ecff2592b2eedf2a36be4213d941e7eb2113bd3437641d0f4f7602a62cfc4e543306a5e6812e7948408522400

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pcxvnjlu.exe

MD5 6c9a83c77562620b653f4836ab6126dc
SHA1 cb5cc673b728f6e9a60de4a1e0d9e6c834324c8f
SHA256 693612ba1d2854746f60c97a0135761c29ab479cee41b8570ee163a7dbb36576
SHA512 40d6dc4aca80bb9806cd377d9d338f5ede671de73ffa881646f542e86f03a24d1f470b813b24bb281630c5e9e075a1123b384080fc5d1cc0b7731ecdd8656f47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 59d582e833b772d14643c563cedb52a7
SHA1 230d1314d36f7e065559191a87117263ee29e407
SHA256 e55fea58505f2f3bd6fc9184d4cdd396bb83d856e00513b15ae83bc4a919177a
SHA512 18abe1acf9650fb0e207b6b55f8a979eb38c1802778209ae92fd96ced6001003a395e47f8fd9571a37c1b4e49c81a68fb9dafec416400167a6a5e9e30e12a905

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/992-239-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/992-238-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-246-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-244-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-242-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-240-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-247-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-248-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-249-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-250-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-255-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-256-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-257-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-258-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-259-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-260-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-261-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-262-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-263-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-264-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-265-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-266-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

memory/992-267-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 18:48

Reported

2024-07-12 18:51

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe"

Signatures

Remcos

rat remcos

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\cchn\\FHVNLE~1.EXE c:\\cchn\\ncjehr.icm" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MUJ\logs.dat C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1904 set thread context of 4664 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 952 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe C:\Windows\SysWOW64\WScript.exe
PID 952 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe C:\Windows\SysWOW64\WScript.exe
PID 952 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe C:\Windows\SysWOW64\WScript.exe
PID 1352 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1416 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1416 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2036 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
PID 2036 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
PID 2036 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
PID 1904 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 4208 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 4208 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 4208 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 4592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 4592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 4592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 408 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 408 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 408 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1904 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1904 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1904 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1904 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe

"C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\tckc.vbe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c fhvnleke.dat ncjehr.icm

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat

fhvnleke.dat ncjehr.icm

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "c:\cchn\FHVNLE~1.EXE c:\cchn\ncjehr.icm"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 75.127.7.188:2404 tcp
US 8.8.8.8:53 188.7.127.75.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 75.127.7.188:2404 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 75.127.7.188:2404 tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tckc.vbe

MD5 95a4c0c1755c731cb1175e9b0139702c
SHA1 db9ae17cf73c51ed43ed1b57cae96a5f837633ed
SHA256 7419a058ffe3a840555d3aa05b3f7520b5dbb9f6a2e81493e17d8868a9bde5dc
SHA512 5a698c0e0912635e180338e2a9314fc5f6788996e4bc6476cbdd62a7e3b008d3ff8b1588acd8ec9390aa00e6544b81ac19f5976467bcc0dd3589ea4cb676c409

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat

MD5 31db1d81c80c66640b773c535cdfa762
SHA1 9cfffe3e21ab746e18db1447bf339d1af2118570
SHA256 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211
SHA512 c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xkurnq.msc

MD5 1633f32568e3bde537bba6dd99671ceb
SHA1 97aceb61c2952dae60ec37186be2888db3e031a7
SHA256 10b680536b0109746d03127b9d6894282f773a0d5a82578f7b1455943cb28ce7
SHA512 f198ef173246445d1ba6d28c65d2b979f20eec6ee869715fe1a4de6823c93ba7a10c1ffa66b5182ca1a93a5b04f7e75c1146666263aeeaae97da43eb9c906a46

C:\Users\Admin\AppData\Local\Temp\RarSFX0\foshgpdw.pdf

MD5 e7135d10d102e4c8325c21ee85f04e9c
SHA1 a9c53ac5887e4944de235b962c162253434f0a9b
SHA256 cb04bf39ffe4ecb053e550a69f61b123c525d69eed9a332e0519cfd40bcad749
SHA512 c9a15bfbf142972e29299360f814269be33185d269c3b361af52d14daa2b47d762486753c1b011f85ce2a3576bb751feab4ee0c70092dbb25248b7fc55641fe6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fjvvkggf.dll

MD5 ae6c81318c935f5f2686d77127b36ffb
SHA1 09e6b467d2d85480d4e71368b18c7b61bcfb1edf
SHA256 2659700b56e78ea7ccde71822f140776d9b6b76bffac44a1dc3cf1b1957a3ecc
SHA512 8d46b0a42730931d86cd1a7f60dbeda615cc2c44b18ee041981d949762f09c5de7a8194a8a9b557c206943f5aaab5ec600b9d6ca6deb149d1e2d632117b8f62a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\clkodnsw.txt

MD5 fe17ec9b0ddcf4b1b9ed816909fab4b3
SHA1 01548306eca2a55b2e209dfbd9229a96a7d77837
SHA256 56d2c0a423d0e25c366401f67b5b363699b06561f7de51dcfc86181f3fdd571c
SHA512 082935074c4b3819faab75c811791621c0d3bf14785d2d7d3c08f04bdabf12012b1ac7f2c51ae529f2a09afb0d0dd8e1211934491b4086285608c6511f991acd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\atjl.mp2

MD5 d6349b47a7d1853aef2021247111e4ce
SHA1 7de49d41b73f2110f16de90c6cc4adb78c3ecff7
SHA256 0b653b877eb55386f30313107489de7f15090e51589afaf7e5504e11d3269329
SHA512 8cc6a5acd15ab747406366f6c0127e158e10ae7687352c25b4c5de53077f0d658263054915a843a75ba40497e97edc6616030b4dd05e14ab7afa935356e90762

C:\Users\Admin\AppData\Local\Temp\RarSFX0\navdn.jpg

MD5 d481f50cac12130673df83534e7ec743
SHA1 e255c5d9bf9545466dcd448bc3e2bfd018caf4d6
SHA256 c097a0919eb4b37348f8ea42bae1dd0bde9ae879402a170a668bb78ca8fe262d
SHA512 cf70a6941f764205aee926fb7edadf0f8b41f63d4fcd2b5a20e8042294a7d00371abd7e50f85dc237802cb51292ee144bc61c0f308ce4ca3c4ff4ee1884a780e

memory/3892-108-0x0000000002630000-0x0000000002666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msxm.mp3

MD5 c203df8c58dcc521ff1a5959033a896c
SHA1 5e34d499a60594c50c9dba5f88e981306a02cac8
SHA256 8b9dba34f2c45187b68842a547f710f019045adee53236a40ed7b74e88a80d59
SHA512 034e45d51e51d95022d1468d0211fd9a7559fd14eefb5c70857f97ab9331678fd51fa9c3200481949948552dceb1c77b8e81404418da1a3e45532893fa0ee509

memory/2400-109-0x0000000004C10000-0x0000000005238000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mspa.msc

MD5 fe1daa6d203273dd57d3b71fb34e62c4
SHA1 80f58b75db83ffbb39ebc1f508eab3d2248c2581
SHA256 6812e247cc4997dc3210c250c560e67c08bfbc591a45cc7b523f042d82a3a66b
SHA512 d405ce7b934899ac8d87fa2f60fdbe17d9406c96e55ce2278d3aeb8a6adeedf80cf1eb75e16df08102731d61139562ffc1479c2c46260449baf3e54b62d97635

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lawlraea.jpg

MD5 0ea283e51a26ebee9b5b0ce3501a0f78
SHA1 fe521bec054a4558cfa57b0957a8f443c4bc89b8
SHA256 1ddc3c1bbbb3d7555af19b1adcbef741e8a2405c0aaaa7facb1f70ed25501de6
SHA512 18bbf40136dcf4d24125e7c540d715195eaffeed892e880d880cdebf74124c2bc4fcd9daf517f3d6eba4e7131e88cff64fd4d039dbe6b2989a2ff78c4db627c6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\peauqq.docx

MD5 d11c4e5e6ade3320daa901652a64855b
SHA1 9c608291994144d3d90a92aff8055d6ab2b414c5
SHA256 05716bd97f70d96b2a1d8ad10c4a791020daa91e639dee0422d2030169288a51
SHA512 bd222a7ec2a54ec11368d36efc313c23e1000c8ecff2592b2eedf2a36be4213d941e7eb2113bd3437641d0f4f7602a62cfc4e543306a5e6812e7948408522400

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pcxvnjlu.exe

MD5 6c9a83c77562620b653f4836ab6126dc
SHA1 cb5cc673b728f6e9a60de4a1e0d9e6c834324c8f
SHA256 693612ba1d2854746f60c97a0135761c29ab479cee41b8570ee163a7dbb36576
SHA512 40d6dc4aca80bb9806cd377d9d338f5ede671de73ffa881646f542e86f03a24d1f470b813b24bb281630c5e9e075a1123b384080fc5d1cc0b7731ecdd8656f47

C:\Users\Admin\AppData\Local\Temp\RarSFX0\toafuvgmcu.txt

MD5 b1e6cacd5466cf31ac951174d70b65ed
SHA1 ab67c8977319316e3b37ab3cc02aa414ff1ffe97
SHA256 614828ba79c603e81e853d285147023591d8c31bb4cf132d37cbd860f5aa5d43
SHA512 5215af4f4a7fede74e0f8620b287d2506af72d080ee30c6c61220b54eb8ce323fb2f6cc3d718a91c5c6d34d92f357e51a40647af417a1fd7a50b754faf8a6cb3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wqhswhin.pdf

MD5 60a86df180b60fe4c9345c495dabc1de
SHA1 ec012087ee69fe04169270f1144ba89d243a0195
SHA256 2936720b255a930cf63e6772e73dee254cda0fb6a3c396b699d4ad495378e5b9
SHA512 4b197d8b2e245eb9786356dfca37e464237a565afed9b0317c71305121b962dfbd6060d484531656563f97ec90a75cb7785b741d222c3eb1688e2c9b5719e45d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxwrjjkj.dat

MD5 e411d1e00aa8304add2744e2b3b03eaa
SHA1 c6e68e4cff15d70a9db1e26720ad45f3dc4e7d82
SHA256 4b3c8816f5c634be27bb37247ca614b886c8a0d563093c22aced3b32c19ba728
SHA512 0102902a2e47b9fe5d7f1b36547589406127d52e547980353d885b366cf47800c0bd4ab1bf4f94cc490f07a65ad2d3ebaa073dc031fd91992bfa6b82bc4e5f2d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxbqmg.jpg

MD5 12f7ad173f9c2bc52fbb0be142f4971f
SHA1 6b83d523dd2a17620aca2f44723999ed39e27ffe
SHA256 2c4a9138cabc51873812fb663b1b86c2d2bdd2a69558cd03d5bf896b4ebbc973
SHA512 854970a446594f932a2a021406de294f738be3baf984add2ce095b868fd27a664d579d17c9f904314aecdf8f247e9f2c6184414e186de9ec603bb4d3dccf5915

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xnul.ppt

MD5 364ca7b798b58524adf7ceac90967434
SHA1 c541fb4a61bb3420fbea6dbb27a2546e62d80d83
SHA256 3dba637b888d739ddd2bdb4c1363d1630517e1395514dc3349a1ed6d25548d80
SHA512 067a6ee4031eacb425657c1e3ce688e0be12ed44097f67e2126c6da42603b090beedd18a78090d195d30538069e23e53940618f18da5635b7715a35dfc13df31

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xkurnq.msc

MD5 faa2749611de93321011355f75ced356
SHA1 572b290782a0e604758e9511c3725192a696c7a3
SHA256 1f000264821a46020be193ea0c57ef929c5f1fa198202449926de417502354fc
SHA512 22a2cd9e0f37ecbae70bcfc1bcfb9bb9bedcf866530a50463b42df5f13b0ad08a7c5e57cfe227686559ac474adc2d2711f6971b37bf47d5486c0bf441a23aae1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wsssookr.hem

MD5 56c1b41b3322dd4018d24f1e38d6b126
SHA1 ec063537db26e581b1a6ec632f83fa3686b832c5
SHA256 d6459e8b70a13dfc105eabfbc5512c60dc85f8f63207b2f4e451980aa3a44b4b
SHA512 c7d1482ae63a21924234e88436e1f24ba26604b74b23c53728e57356799254affb26656772a1b3e90e1801a17096d963baf3f1bee137d5fe518deffcd8e68cd2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wiholsrnv.xl

MD5 e63e624e580570f42405239a7431e1f9
SHA1 1a6cf95f8c7704f7b48268efd337e0ebaeb44821
SHA256 08519611ecc95be2e68a746a3aa8a333bfb5c3a7e1b3dc611fdb65b732af2d37
SHA512 e79a3b20c33b4f9eb3a60b31d33d8f393d633be4fce715bfd4de06012af6ea7479a00fe22bd89222dffe0d7dc2963e498547dbf44f5ca6d5dccfc3e430c23dd3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sxdhjeq.msc

MD5 66eb9113d939530be9abe06b8d46edaa
SHA1 2d60c01ba8eb080b8dbd9fe6694727da1db21a9a
SHA256 5b7609ba739729b94486274f866be66ecd21de47bd56614e23593b3f54e02ff4
SHA512 9b2b6125c1311c27cf898c2e4a01eb36979e15cb330ac4a857c352b3952a51a8f47be9c6ec8114d71ae083c07145e58541c9eeef13ecd20eb8bbdfe2fe0881ff

C:\Users\Admin\AppData\Local\Temp\RarSFX0\soktlaq.msc

MD5 d22c26946baeef2ec95cdae7497bad66
SHA1 538779f3e21d10e5c874713a02985f871b8a3637
SHA256 3e32f48ab7ce46785a2ff2fae2dadc6084a32f62965c4fc3f712b0d781d6ee1a
SHA512 5c7068d5c66516977c657fdc9cd6d3e9697e2f9454acdc20d3eca88542238222752f550c55503682d1d036ef702696fed326a6c9152917b31a43477931ac2879

C:\Users\Admin\AppData\Local\Temp\RarSFX0\roqwnfmf.dat

MD5 9c6922f01aa1b9c595a5800d9af41e92
SHA1 135a94d51b1b818319e35132f3dee3fd70c0d401
SHA256 367fdf18a6a5f193f9a9c38acc5a154b33d7372b868add997e912449b28bc22d
SHA512 5c941ce2da8f57a0115bf98bf38d6a62688cbfc1970ae9ffa55801de9e05934d465c8cf079b3b2e5ec9f84465194dd85cf3d17f02771ef43346fc00e64cbbe68

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rldhm.pdf

MD5 976e46ae2b703fc8693fe13ec2ccb752
SHA1 ec7245488a7c844ee829627c1289c62361f215bc
SHA256 7c71c2ff4869230355138e445d96f892d30a71fef346dbf1d2607315828353ed
SHA512 d25ba5e4b41020b6255a9b19cb07786e584dd9a2e231a6d06533c1a7fae31ffeb5ba4be9fbe8ea03aacec4a8f3721611a1bf13be2f0662e5a62471746f2fd09d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oxqg.exe

MD5 5e9707562e9a88352c732e9a6049d486
SHA1 e4593f2ad0795b6edda90d60f09a6fc481993e65
SHA256 8ed8b5c171af40b35876c889ee07804de0d2c5d44f2a0755e151b39fc03b1cf2
SHA512 b0749ce0c5cafb706208525c5b81c291306139ffa1608d4c714c0344a6aaf7d217dea2c583d027f56dcfa5364814fd30e7a3899409d2c938b851fdde7652d078

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oiswfne.icm

MD5 ccfc02352a97fc37e2e8a7868a766a17
SHA1 0971d1638faf9856340c7b276d3d80de18fe552f
SHA256 638f8a50aa09868ac19addbeb095ef3aa0e062d6dff78a89ee1605a5342016eb
SHA512 b72a8c92eb51b6e05deebef90acd572ceaa6422894d898a162d68fcaee411a8bac780f8e60a74a5fccf31f1bc4db8680ce3863f8e4d9314118014440a26f3940

C:\Users\Admin\AppData\Local\Temp\RarSFX0\kswn.xl

MD5 bb3af83d198af53d8e8865c4cf90a634
SHA1 0a4c316542b0ac348b28bbd079e754aa68ce13bc
SHA256 dcba54a098d1f6e337532205b849ab27b16401a73bd0f1c82f394333f94b8c32
SHA512 226cfd639707da01b2e8fd81cd0b9dc16f107decdf91ea80f2845dbc69e39eec6107faa8ff88a3125185eb6aeb85402de4dc4c198e06e020ae89811e05aaffb2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hmsaf.3gp

MD5 d2ad3df96aa34af12040e7eb23e19602
SHA1 b0af79b8a50bcc572405dd500a8bb76315f136e8
SHA256 8b42f41fa9dcb635a294d1692fa514d6f732ae6298816f9ada27a987329c22ba
SHA512 a66295fdbc6a92c72a1d97aab91e5f9d8e9fe228e81bb5fa9271d44920975de5adf460b223b92eeb4cb02cd9c6f6e8e787f1cca508cb645a8071debdc04b1935

memory/408-179-0x00000000057F0000-0x0000000005812000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gjgoq.bmp

MD5 a021329fdd5956e6dca8fb89147e0d00
SHA1 664c32ed8ee46ba01ba62996189b7c4cae84b377
SHA256 568b93b08346a96b14d8b8b10e7834385359b1ce77353f6c411a5a6f4685fbe0
SHA512 70ea6be254c2a5d051b90df8886af12fdaf433638c22dd1244ce2ed293a0b7ff63ffd5f8e214f3831b50a9e0acf41d831fadf915923e1573150c1a1847afbfa7

memory/408-181-0x0000000005900000-0x0000000005966000-memory.dmp

memory/2400-182-0x0000000005500000-0x0000000005854000-memory.dmp

memory/408-180-0x0000000005890000-0x00000000058F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaixlatqi.docx

MD5 21ea8d814c36e64201c6e009bd6285ac
SHA1 f39c8795f6d68b13f967820f8ee66bd385ef8d95
SHA256 a97c5ff9fbc31c7ddc409645bf091924daa06182d8370285d52cbe2eaf2d612e
SHA512 a39ef08a6761cc4370661ff8770110237321467bfc9eddf6749f24d6aec4a3b5a62721023ac20cb3f258df460117147b63661d24d543df697708ecab56c807fe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ftsxtpkuci.msc

MD5 c75006d243b6f10d50120f9a5f7b4ac0
SHA1 47abf77308a99ff9f67aeee6070080e7fb2f5df7
SHA256 8bd5d72f4c378fc7b185c4d355c5449c0e9e5b0a88d33449bfb6ac321e7fa6d4
SHA512 3b844cd83ed2fff71debd865631f78a3f3f781cd58c419cac005829c93af42e31dc91b67c7901f691a47434f3094329577e9c619b091b4a5fa4c181e676f87d0

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_peuzslub.is2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1600-237-0x00000000063A0000-0x00000000063BE000-memory.dmp

memory/1600-238-0x0000000006960000-0x00000000069AC000-memory.dmp

memory/3892-266-0x000000006E740000-0x000000006E78C000-memory.dmp

memory/3892-265-0x0000000006DB0000-0x0000000006DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/4664-294-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-301-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-300-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-297-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/3892-303-0x0000000006DF0000-0x0000000006E93000-memory.dmp

memory/3892-302-0x00000000061C0000-0x00000000061DE000-memory.dmp

memory/4664-296-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/3892-313-0x0000000007580000-0x0000000007BFA000-memory.dmp

memory/3892-314-0x0000000006F40000-0x0000000006F5A000-memory.dmp

memory/3892-315-0x0000000006FB0000-0x0000000006FBA000-memory.dmp

memory/3892-316-0x00000000071C0000-0x0000000007256000-memory.dmp

memory/4664-318-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-317-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-320-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/3892-319-0x0000000007140000-0x0000000007151000-memory.dmp

memory/4664-323-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4592-324-0x000000006E740000-0x000000006E78C000-memory.dmp

memory/1316-335-0x000000006E740000-0x000000006E78C000-memory.dmp

memory/3892-334-0x0000000007190000-0x000000000719E000-memory.dmp

memory/3892-345-0x00000000071A0000-0x00000000071B4000-memory.dmp

memory/2740-346-0x000000006E740000-0x000000006E78C000-memory.dmp

memory/3068-356-0x000000006E740000-0x000000006E78C000-memory.dmp

memory/1980-367-0x000000006E740000-0x000000006E78C000-memory.dmp

memory/3892-366-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/3892-377-0x0000000007280000-0x0000000007288000-memory.dmp

memory/1316-381-0x00000000078B0000-0x00000000078C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e0949569ba7a0eed0fb8803cd8c7c8fe
SHA1 5f1e1a2de52f5168f1f168ea1943d1f05b1c5ccb
SHA256 3b8325fb38df29f6d8b8d9acc6e31b504e725e38b142461ab67d9a9111444060
SHA512 345117d3f6048742f5d9417b6fcb13e0de56a51c57a8d643ab562fd31396dd25e69511cc80c69def0f2313972cfe07ed01ad13f8134ce09dff17cb8d96ad8d71

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92d22f7c65117dda8f271c3b298a4e64
SHA1 c7b5c22098e769bc5bceb8cc44be7402ed330df9
SHA256 7e45d768663e7652a06f85b18df8c66490bb1a782642e2c58630bffbafadb7ab
SHA512 58f7648e797d7c05e94dc840dd09f255bb4e35d71aa49164651da84bcfb94102a6afe065c035fce759d97a2148d522301cdee30a78ef91f64a04f26b09ff8494

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 71b90cab8bcbe2970084b053653498af
SHA1 590f900c791f190385e3149234455a4b8bb8537a
SHA256 d127bf22d2d51ee49536c298231f096afc685441031d24f37f662c2f86b76759
SHA512 f6cbfab03955499ea5fbb620c257f06a41516ae866b1e0eee6a7e62b990f69572a1f9b93f557bad8371f4706d80b31cc7a023d343e12ae78a98462f02326be72

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4943364cee6001897ba087435055c17e
SHA1 c2dd045b2df08eb772f74a45c2397647e4c471d3
SHA256 d1c4eb3086f4db40c3ae74443198ae063755de3b7dd46b8c8a084ee4521a7905
SHA512 942d8df5668d7ec0f62c46aae9e0a621c1e26c44d1166591a3f82ae37e6bf2109b4afca2ac42058fe1d6779ee4bc909819851daed2a692958d5b616f7f44103f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 44db4c0f55eed364c3a4a4371274e074
SHA1 ec9cb0e6a6efbf095949f2da30bc898a6dc92c86
SHA256 286f494d1c1f5e51143f0b8eb655080c18202b997ed993525b92404eee96d566
SHA512 2e57c19620d71cd4894adc24f6ea5a4b67725fd60637095dfda2da3eca63f3ca720aebb89cbd6be1677c750a91c1dfdd56e60815518ec443be584092e58d4d25

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a2340c9f493862b167a1279fa1c9f66
SHA1 9f70b7247e874834c109994f1fe6905b181944f4
SHA256 e72d68f050243864f3d67f32bb54a2148a769bed6d926cde7e76bfa0f94aeffa
SHA512 b126bdd6d6aa1b1adefb54ec70906fe7f75e44312e72042be8546b46e0c9ecd33a47aea691e511e611cdee7ec40703b0ff01344973588de2b9c131e16431449f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f67d80707c3af7e0972d7e41805a1829
SHA1 840f999511c018aa237260ea0fb66e1a6b160f3a
SHA256 ecddaa32813a0a09d1dd22dc9b298aaacdc1c8c0fd4e75c55972d2ebd54f57a9
SHA512 a1dbae690bb09e741404b7415e59000fa7cb599beb9cb6dddee663a361d905534927065a9529d67e3b40cfd61677d035e5d62dc41c407193f602ce4115424f5e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6f4db18aad49c1127c267aee6665b42
SHA1 f957500bfdaebd12149b759aa610395c0cb98e56
SHA256 5c4fa192a47b41e7169f1ee39ab318acd727b9f1752ced0bbd9da886f3c9766a
SHA512 319faa2b9c036bd9abfcaac99838239fd2bb46e4f81d102d4d9b06ea5b96d2e53edbc6e8d38c0c2eb8fb4b277a29a956026556bec708b1066bc28b709580ec32

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1152fed10e8e8ad8cf11348008c27ad8
SHA1 24fb1d41e8c0d849c59b6dabc5729d07a891e50e
SHA256 37de3ebf9654410f5ced06047818072c79523258286d3d635abac6d975ff5cf7
SHA512 5b132de6b9da6586f1d59b46e86912ee29c371db6235451575021d1ef344c8c3e35200647943debea86766d72a8bba0158b4a95a4701136639414f8f33f54e88

memory/4664-403-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-404-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-405-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-406-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-407-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-408-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-409-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-410-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-413-0x0000000000B00000-0x0000000001B00000-memory.dmp

memory/4664-414-0x0000000000B00000-0x0000000001B00000-memory.dmp