Analysis Overview
SHA256
096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf
Threat Level: Known bad
The file 096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
NirSoft WebBrowserPassView
NirSoft MailPassView
Detected Nirsoft tools
Disables Task Manager via registry modification
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-19 13:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-19 13:50
Reported
2024-07-19 13:53
Platform
win7-20240704-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Desktop Outlook = "C:\\Users\\Admin\\AppData\\Roaming\\awgo\\EOCCFR~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\awgo\\lkjaaj.msc" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2636 set thread context of 2880 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe
"C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\juix.vbe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c eoccfrsi.msc lkjaaj.msc
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
eoccfrsi.msc lkjaaj.msc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "C:\Users\Admin\AppData\Roaming\awgo\EOCCFR~1.EXE C:\Users\Admin\AppData\Roaming\awgo\lkjaaj.msc"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "C:\Users\Admin\AppData\Roaming\awgo\EOCCFR~1.EXE C:\Users\Admin\AppData\Roaming\awgo\lkjaaj.msc"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 75.127.7.188:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 75.127.7.188:2404 | tcp | |
| US | 75.127.7.188:2404 | tcp | |
| US | 75.127.7.188:2404 | tcp | |
| US | 75.127.7.188:2404 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\juix.vbe
| MD5 | 004a8063aa902f25a2a60018fc35d3a9 |
| SHA1 | 47ea2f98c80abfa5de178755677c7f611a9e2ce8 |
| SHA256 | 4f042809ed74459f70ad83b91f8308ba1dad0be6fe35c73a751960403823bd6a |
| SHA512 | ff119c33a1176247c4409e97a2123d0e236b40b83c010811fecd0922d6fe0095f5c469963a3229ae7b9db3e882ae17746b15d1d1ec27508060b86183044f45eb |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
| MD5 | 31db1d81c80c66640b773c535cdfa762 |
| SHA1 | 9cfffe3e21ab746e18db1447bf339d1af2118570 |
| SHA256 | 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211 |
| SHA512 | c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mjvqtwjcxc.dll
| MD5 | 8935c2ba9f22d65161fff70e643e92ee |
| SHA1 | 4a6823c4ae819e18b15171bb289d8c5ca813422e |
| SHA256 | f64b5ef00337821844a2485c18c5d0bdae3c705e85e2e1ce8b864e060c8b74f8 |
| SHA512 | 0a78309d6bbf4f01da9fbb3f97b84eb773da372b659fd8d7ae8c4e4e1079477788533c86df952332217a89f19f52b8c919ad0cc878fc7fac76a1c2214129098d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ghlouehf.txt
| MD5 | d6d3a3233d7cf818aab5262f8a497881 |
| SHA1 | 4e125b6adaa9e4108344c50ed9ab76c633b66a46 |
| SHA256 | 0f742bfdff8013d1f61617446f5e3951e094314a29a25bebb5052eabe5e3d3a0 |
| SHA512 | 41010ff3deb6944287189f9467830d4f3e61d386963ed777d5a934c955fd38b798320e77db0125159e7f3e0bafab97c30224d4e082808ac09401feea5359107f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kdootbdd.dll
| MD5 | 07985a733f71f7c45ce37ca0cd913dab |
| SHA1 | 823a038c3da489e3c74ac045bd65446bf0d8bf5a |
| SHA256 | 8aa5e280d8b9256d33bb4b2c105cba4f62bbf9c3c5c4b9bc6bc8c6ee6ff6a165 |
| SHA512 | b9d8c0c9889ec1973711581b245ad1cc5f749647f283d9713af9d6230c12d23eaa816fedb518f232e6483c42dcf0d2e9d05898cdb8dc2edbdbce9a3ab3d6ec7c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jlknkx.dll
| MD5 | 1b438f72e1fff271d24021430d6c3ebe |
| SHA1 | 49df6d07cb5ffceb19bf070a004ac70c41d41786 |
| SHA256 | 67ac5749336fe9cbca652dd9e3ac4d03519e1c161a395691a0f5580ed545f453 |
| SHA512 | e4f7a5a9d1e77b87cf7b00c959017ee78ceba605496c161f170b5c5a35edfcf1b4168b0d91c43b7009d9294bdff802d5be62a15bab2bdc68e0cd4cd97c807206 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gpvttmwcco.docx
| MD5 | 23831215c860dabf02d3ea85e1415a4f |
| SHA1 | 90c69d7e72ebd4774a0b330908cfb1564cc7a96e |
| SHA256 | e783d53e94c1b90d8225f5fcb6bfa5ad6df2c9b578791c7472cd63f607a2a80c |
| SHA512 | 1c547f8a9bc3dc2576b880d5e83fb1aa3581bb922acc7b76838e19202d114c598c388c4ff927ab51c85d3460d8375eb01014b2d24826e5169aade6e79a3f4ab1 |
C:\Users\Admin\AppData\Roaming\awgo\mjvqtwjcxc.dll
| MD5 | 05289151577dbfb9b9da00d2976804c3 |
| SHA1 | 5f6aaad5d5d6a00872975b0db7253d963cc3bd50 |
| SHA256 | 39af376b2ca11e08c23c4b82826803704eb5accfe3dadd5643bdea8a7fa12b6d |
| SHA512 | 50bf9002221700c98c5997d8103f9478364d16bc2853ab4a01ac19147a6ad90b16ae61c24252f5667abd5e3d4e3886f6aa0c251c1e406a50eccba9d5b407b653 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lrtphskvo.mp3
| MD5 | f96ff517e1872d3d0833a4396ed5fb13 |
| SHA1 | 7895defa294bb3f85a9983244fadcd4e56736c5b |
| SHA256 | 87d300f970f25bdc5773f8d9dfb6a076af9bfee63c1f5519e2e1c8f709065e69 |
| SHA512 | c5e505118875234d27bf95952ef3ab52efee7cd2d4035830336fb3f8e8c66eef0902c16f47d3a5ff8d2c1a9c1c5e1cabe372dff4a114122962a5640a490cf21f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nslnokot.xl
| MD5 | 8bc52a1186422e129c0dacb2f3740bae |
| SHA1 | c30eca43669e7e7122d74801a24079bd06e715aa |
| SHA256 | 061d5d78cffd6ba45ec6be56d58e90f4c3b1033cb700d2965a0d8fc24b098d8e |
| SHA512 | b44e57193adf35314676924dd85f27f7c73f6dc044590b9b1f51ffdf449a65daa6904b505da831af751007e2d4037cf617c3ad1c78caca0351c182770ca8d7ac |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rvkmtj.bin
| MD5 | 20c3960284681d57870501f88ab90ce0 |
| SHA1 | ba73c87174e3aa7fe1d5abae87a4f1ad6b00bca6 |
| SHA256 | 7e7d92f5e021bf85541cfc97760915f7bc3717b13da995704ede1ac822ad0437 |
| SHA512 | 032381905afb553bb88f2885b1a2bee668b26f67f202ddc107590bf03cbdff492d73dd7d62ea3391e6543d90f1fff7c081b08afa7c65ba6dc5eb7009f1b60242 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\emhdgqkk.ppt
| MD5 | 3c2527d519379be6527150634a61e3b5 |
| SHA1 | f2f30a0a9bc89a57c13f2ad9fcc4df684706f672 |
| SHA256 | 7302c0116d73564ad50b06e8dce5327cade742120b535810693d1b0bf411bb53 |
| SHA512 | 12f1559a8fa81e5a2d5a4a5d7c161eca4e1b73b0cfb7edcf19e0fb17748cede40e2489e7fad20d8be8efccfd385d0912df1a1fa579a432898e36734702c4bf77 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dexxnd.msc
| MD5 | 4fbc72d312e093beb8a3136219065822 |
| SHA1 | 398f941d09a6be7451487875864e14bf5ee00f25 |
| SHA256 | 20e3103abfd6c45bd15e8c9868259d7218319d2185268ef91bb7d72f4d71b666 |
| SHA512 | 67b7738e796ad0c941b111069e2afc1fab28d9b0f497f220de06ce394598442f25383718ee5bd1ebc7a7be673a3b68c1be68ac6271c4bdc92fed0e81c7211e0f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqkhe.icm
| MD5 | 5581b6d2b6b75702e0103dad918690e7 |
| SHA1 | ae2326064713172bb6bd3942c02bd374fbbc72c2 |
| SHA256 | c7c2d274186b27e864102c5b0ef98d733c5d1059b28345fc7c7699b4c5ad84cf |
| SHA512 | 770252372c1a384f683ae990b0f3ff56022ddaf537890d9882819e64ab88186c46a9f95b39a8d97ff194dd1167b993971c9adf5bb30b4ec3bb87c96e0536466c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tbbsgeqa.dll
| MD5 | 8a7de2188bc4fbcea9b77b3855c3319f |
| SHA1 | 7d5234ee4135bffe814d4221c4533300d79c3b42 |
| SHA256 | 554ae23bcf441c91b664e802249e7177498c7efdc41f6011b62c8e15ac875a97 |
| SHA512 | 6d13762a7a71b644aa174009665674e52f9f9830522af2688becaf8ec9686994ead7836870dc2f6b1b810f464db613fcd0cc55aa7c90a34f2254eb9d5326d301 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pgqqpkgosi.msc
| MD5 | e816bfb27c7b5b628e1062cca9577257 |
| SHA1 | 54746bb1ac29cf251577b2d41d88e33df4d243cc |
| SHA256 | ec54ef8d547f6b413159a5cdf006a022fe19467f044d58442a691a82908878a3 |
| SHA512 | fd461403f4399f7f7209900d09b5b4296f94046300028240fb8ffb523600f83b1d8a73e85398f04e55c3054c49b0ac69d55d637f83221202911924e497d4bb1c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tepnjh.dxh
| MD5 | 3b5ad23ea9ef85bf03191c08d0362ffe |
| SHA1 | 3f5f9ce3e99c107fda49ec6e10221f7bdaacea30 |
| SHA256 | fd5011e6560f01bd34a3116f6c73b4a7c09442b9926e47a53d64486033b871ae |
| SHA512 | 091aa5695edcd9d3e4edf9fc21bce017ab4bb89cde02eaf00ab6353baa4131f1b97d2114c6d6b6fbd964a66f2fe76f975eeb21c7ab8e4058048ace0fd5c19397 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\texrrjumle.dll
| MD5 | 1ab25e716281bf231ac3d32bd1e88d92 |
| SHA1 | 9111b7b613fcad290f31a1504ae97b8321a28607 |
| SHA256 | 38885d4f8516f7830d6a46aac1602b89b6ee3c85a7fec6267aa59b18d9ec21a5 |
| SHA512 | 0d3919dfa4ed5a5785f88c41ebc0cb5bdaa9a6e5b0871fb0b94dcae764069b02ed42750e74b24a5738378e63ce3b840e6f63bd0fbbc847dd5fff5ccafb31ded7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tkqkr.bmp
| MD5 | 099d19dba7ae668571f2f966436eec2b |
| SHA1 | 4ffd0761ebb42b692bacbb922afe97610f9eea18 |
| SHA256 | 23166dd60c3c6614b7cdc516d5d9309a92817fc692784494ebe72d22eeec5736 |
| SHA512 | 9748043405a2e25a7945d8b6af7dbe616ef27a855cd4d8ed449e9572b17d1dcbdc5885ac3951e044e537ee08a6d60dc60a4acb9099cd518cfb149696dad162aa |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\odsmlp.bin
| MD5 | f0c663c98d2c84c31bd24f8ac6a3716e |
| SHA1 | 4a5ed1a6a413bdb83bfd845d5d1799f36d2e0033 |
| SHA256 | 9e80f7cd7113fd2cec9a2b3abfe073eb74b6582bd16e668dbb0298a1a8c51704 |
| SHA512 | 347d8b4aa432c8e9db0a808d0b7a4eb68c52775ab359ee367ea097a600b111143aae5c26aee69715b551131a49a4c3f1ace0036ae5846bc74b4eb945823892b0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vlkpbokcl.jpg
| MD5 | 3f7b3d13ae3087fc81b69a9092490afa |
| SHA1 | 9f0141684f1fbab4d4d372afb81f28abfb71de7e |
| SHA256 | 72a0263259831d8a1597e94d7019c1721b80febd664f7297612f5b98d3b57e33 |
| SHA512 | 705e6a778057b265cd95fe4079598987184a6b5a1f23748cf2339b089c3467ab87fe803c30154ca198c760aedd440d1d7a61210b57e5fcef75d903dcc827733c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\waxmcshnxg.msc
| MD5 | eae9e9ddbfff09d7941b2224ba7e5765 |
| SHA1 | 53341f499ca08dcc3c67a4d68f6ea18fda0ead75 |
| SHA256 | 4c57baff128fd73131bd2f928e6a2d034118f22f79608ca915d9061f45c85161 |
| SHA512 | fbafd8126f9d44e3eb22783fc7751e85ab81538a3aea1268122672e9fb05d33798335a2769e89499203c8048abbcb623075685685585a33cd1e018a23412a406 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xnxrl.bmp
| MD5 | 3da8ca1447d337664bf24b4486964a50 |
| SHA1 | 82cd9ecaadba7be06cd2d511d06652a235149146 |
| SHA256 | ad0c11d42c262343733117eed3c7c862fd0c0286cac1940991cf15d10f6b9106 |
| SHA512 | b7abbf6e5b99726d094a08eb3a100d3df7df45449a1735bf50e016d94bc9356d21c172b124b9ef219455b5d524647f3ca107cfaf30815b5c83c1876161e77eda |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 623e499ed5de8643b83a58a7f5b57484 |
| SHA1 | 7d22dd5414f0d0e8af103026dbbbf62b87c09cc2 |
| SHA256 | fdb1cc1e2607c183038943a2773410d852f73764c756c44be057f706938ed396 |
| SHA512 | 3b7468bbf2b1492aaba5f03f3268ec0e8bd32c282fe05081460311ca7568d2108347bbe62150a2bfd7471649f5f6b223bfb63f47a339cd71e08e8d87d9934536 |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/2880-192-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-197-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-201-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-198-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-195-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-194-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2880-202-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-203-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-204-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-206-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-210-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-209-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-212-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-213-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-214-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-215-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-216-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-217-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-218-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-219-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-221-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-220-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-223-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-222-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-224-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-225-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-226-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-227-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-228-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-229-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-230-0x00000000003B0000-0x00000000013B0000-memory.dmp
memory/2880-231-0x00000000003B0000-0x00000000013B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-19 13:50
Reported
2024-07-19 13:52
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Desktop Outlook = "C:\\Users\\Admin\\AppData\\Roaming\\awgo\\EOCCFR~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\awgo\\lkjaaj.msc" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2372 set thread context of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 2392 set thread context of 436 | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 2392 set thread context of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 2392 set thread context of 1776 | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe
"C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\juix.vbe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c eoccfrsi.msc lkjaaj.msc
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
eoccfrsi.msc lkjaaj.msc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "C:\Users\Admin\AppData\Roaming\awgo\EOCCFR~1.EXE C:\Users\Admin\AppData\Roaming\awgo\lkjaaj.msc"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnoqhkxdmscuzbooexqcwsmecpep"
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\chtbadifiauhbqcsvidvhfhuldvybjqd"
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\chtbadifiauhbqcsvidvhfhuldvybjqd"
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\ejzt"
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\ejzt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 75.127.7.188:2404 | tcp | |
| US | 8.8.8.8:53 | 188.7.127.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 75.127.7.188:2404 | tcp | |
| US | 75.127.7.188:2404 | tcp | |
| US | 75.127.7.188:2404 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\juix.vbe
| MD5 | 004a8063aa902f25a2a60018fc35d3a9 |
| SHA1 | 47ea2f98c80abfa5de178755677c7f611a9e2ce8 |
| SHA256 | 4f042809ed74459f70ad83b91f8308ba1dad0be6fe35c73a751960403823bd6a |
| SHA512 | ff119c33a1176247c4409e97a2123d0e236b40b83c010811fecd0922d6fe0095f5c469963a3229ae7b9db3e882ae17746b15d1d1ec27508060b86183044f45eb |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
| MD5 | 31db1d81c80c66640b773c535cdfa762 |
| SHA1 | 9cfffe3e21ab746e18db1447bf339d1af2118570 |
| SHA256 | 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211 |
| SHA512 | c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mjvqtwjcxc.dll
| MD5 | 8935c2ba9f22d65161fff70e643e92ee |
| SHA1 | 4a6823c4ae819e18b15171bb289d8c5ca813422e |
| SHA256 | f64b5ef00337821844a2485c18c5d0bdae3c705e85e2e1ce8b864e060c8b74f8 |
| SHA512 | 0a78309d6bbf4f01da9fbb3f97b84eb773da372b659fd8d7ae8c4e4e1079477788533c86df952332217a89f19f52b8c919ad0cc878fc7fac76a1c2214129098d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kdootbdd.dll
| MD5 | 07985a733f71f7c45ce37ca0cd913dab |
| SHA1 | 823a038c3da489e3c74ac045bd65446bf0d8bf5a |
| SHA256 | 8aa5e280d8b9256d33bb4b2c105cba4f62bbf9c3c5c4b9bc6bc8c6ee6ff6a165 |
| SHA512 | b9d8c0c9889ec1973711581b245ad1cc5f749647f283d9713af9d6230c12d23eaa816fedb518f232e6483c42dcf0d2e9d05898cdb8dc2edbdbce9a3ab3d6ec7c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jlknkx.dll
| MD5 | 1b438f72e1fff271d24021430d6c3ebe |
| SHA1 | 49df6d07cb5ffceb19bf070a004ac70c41d41786 |
| SHA256 | 67ac5749336fe9cbca652dd9e3ac4d03519e1c161a395691a0f5580ed545f453 |
| SHA512 | e4f7a5a9d1e77b87cf7b00c959017ee78ceba605496c161f170b5c5a35edfcf1b4168b0d91c43b7009d9294bdff802d5be62a15bab2bdc68e0cd4cd97c807206 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gpvttmwcco.docx
| MD5 | 23831215c860dabf02d3ea85e1415a4f |
| SHA1 | 90c69d7e72ebd4774a0b330908cfb1564cc7a96e |
| SHA256 | e783d53e94c1b90d8225f5fcb6bfa5ad6df2c9b578791c7472cd63f607a2a80c |
| SHA512 | 1c547f8a9bc3dc2576b880d5e83fb1aa3581bb922acc7b76838e19202d114c598c388c4ff927ab51c85d3460d8375eb01014b2d24826e5169aade6e79a3f4ab1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ghlouehf.txt
| MD5 | d6d3a3233d7cf818aab5262f8a497881 |
| SHA1 | 4e125b6adaa9e4108344c50ed9ab76c633b66a46 |
| SHA256 | 0f742bfdff8013d1f61617446f5e3951e094314a29a25bebb5052eabe5e3d3a0 |
| SHA512 | 41010ff3deb6944287189f9467830d4f3e61d386963ed777d5a934c955fd38b798320e77db0125159e7f3e0bafab97c30224d4e082808ac09401feea5359107f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xnxrl.bmp
| MD5 | 3da8ca1447d337664bf24b4486964a50 |
| SHA1 | 82cd9ecaadba7be06cd2d511d06652a235149146 |
| SHA256 | ad0c11d42c262343733117eed3c7c862fd0c0286cac1940991cf15d10f6b9106 |
| SHA512 | b7abbf6e5b99726d094a08eb3a100d3df7df45449a1735bf50e016d94bc9356d21c172b124b9ef219455b5d524647f3ca107cfaf30815b5c83c1876161e77eda |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\waxmcshnxg.msc
| MD5 | eae9e9ddbfff09d7941b2224ba7e5765 |
| SHA1 | 53341f499ca08dcc3c67a4d68f6ea18fda0ead75 |
| SHA256 | 4c57baff128fd73131bd2f928e6a2d034118f22f79608ca915d9061f45c85161 |
| SHA512 | fbafd8126f9d44e3eb22783fc7751e85ab81538a3aea1268122672e9fb05d33798335a2769e89499203c8048abbcb623075685685585a33cd1e018a23412a406 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vlkpbokcl.jpg
| MD5 | 3f7b3d13ae3087fc81b69a9092490afa |
| SHA1 | 9f0141684f1fbab4d4d372afb81f28abfb71de7e |
| SHA256 | 72a0263259831d8a1597e94d7019c1721b80febd664f7297612f5b98d3b57e33 |
| SHA512 | 705e6a778057b265cd95fe4079598987184a6b5a1f23748cf2339b089c3467ab87fe803c30154ca198c760aedd440d1d7a61210b57e5fcef75d903dcc827733c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tkqkr.bmp
| MD5 | 099d19dba7ae668571f2f966436eec2b |
| SHA1 | 4ffd0761ebb42b692bacbb922afe97610f9eea18 |
| SHA256 | 23166dd60c3c6614b7cdc516d5d9309a92817fc692784494ebe72d22eeec5736 |
| SHA512 | 9748043405a2e25a7945d8b6af7dbe616ef27a855cd4d8ed449e9572b17d1dcbdc5885ac3951e044e537ee08a6d60dc60a4acb9099cd518cfb149696dad162aa |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\texrrjumle.dll
| MD5 | 1ab25e716281bf231ac3d32bd1e88d92 |
| SHA1 | 9111b7b613fcad290f31a1504ae97b8321a28607 |
| SHA256 | 38885d4f8516f7830d6a46aac1602b89b6ee3c85a7fec6267aa59b18d9ec21a5 |
| SHA512 | 0d3919dfa4ed5a5785f88c41ebc0cb5bdaa9a6e5b0871fb0b94dcae764069b02ed42750e74b24a5738378e63ce3b840e6f63bd0fbbc847dd5fff5ccafb31ded7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tepnjh.dxh
| MD5 | 3b5ad23ea9ef85bf03191c08d0362ffe |
| SHA1 | 3f5f9ce3e99c107fda49ec6e10221f7bdaacea30 |
| SHA256 | fd5011e6560f01bd34a3116f6c73b4a7c09442b9926e47a53d64486033b871ae |
| SHA512 | 091aa5695edcd9d3e4edf9fc21bce017ab4bb89cde02eaf00ab6353baa4131f1b97d2114c6d6b6fbd964a66f2fe76f975eeb21c7ab8e4058048ace0fd5c19397 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tbbsgeqa.dll
| MD5 | 8a7de2188bc4fbcea9b77b3855c3319f |
| SHA1 | 7d5234ee4135bffe814d4221c4533300d79c3b42 |
| SHA256 | 554ae23bcf441c91b664e802249e7177498c7efdc41f6011b62c8e15ac875a97 |
| SHA512 | 6d13762a7a71b644aa174009665674e52f9f9830522af2688becaf8ec9686994ead7836870dc2f6b1b810f464db613fcd0cc55aa7c90a34f2254eb9d5326d301 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqkhe.icm
| MD5 | 5581b6d2b6b75702e0103dad918690e7 |
| SHA1 | ae2326064713172bb6bd3942c02bd374fbbc72c2 |
| SHA256 | c7c2d274186b27e864102c5b0ef98d733c5d1059b28345fc7c7699b4c5ad84cf |
| SHA512 | 770252372c1a384f683ae990b0f3ff56022ddaf537890d9882819e64ab88186c46a9f95b39a8d97ff194dd1167b993971c9adf5bb30b4ec3bb87c96e0536466c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rvkmtj.bin
| MD5 | 20c3960284681d57870501f88ab90ce0 |
| SHA1 | ba73c87174e3aa7fe1d5abae87a4f1ad6b00bca6 |
| SHA256 | 7e7d92f5e021bf85541cfc97760915f7bc3717b13da995704ede1ac822ad0437 |
| SHA512 | 032381905afb553bb88f2885b1a2bee668b26f67f202ddc107590bf03cbdff492d73dd7d62ea3391e6543d90f1fff7c081b08afa7c65ba6dc5eb7009f1b60242 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pgqqpkgosi.msc
| MD5 | e816bfb27c7b5b628e1062cca9577257 |
| SHA1 | 54746bb1ac29cf251577b2d41d88e33df4d243cc |
| SHA256 | ec54ef8d547f6b413159a5cdf006a022fe19467f044d58442a691a82908878a3 |
| SHA512 | fd461403f4399f7f7209900d09b5b4296f94046300028240fb8ffb523600f83b1d8a73e85398f04e55c3054c49b0ac69d55d637f83221202911924e497d4bb1c |
memory/4244-135-0x00000000049B0000-0x0000000004A16000-memory.dmp
memory/1592-134-0x00000000051B0000-0x00000000051D2000-memory.dmp
memory/4244-136-0x0000000004A20000-0x0000000004A86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\odsmlp.bin
| MD5 | f0c663c98d2c84c31bd24f8ac6a3716e |
| SHA1 | 4a5ed1a6a413bdb83bfd845d5d1799f36d2e0033 |
| SHA256 | 9e80f7cd7113fd2cec9a2b3abfe073eb74b6582bd16e668dbb0298a1a8c51704 |
| SHA512 | 347d8b4aa432c8e9db0a808d0b7a4eb68c52775ab359ee367ea097a600b111143aae5c26aee69715b551131a49a4c3f1ace0036ae5846bc74b4eb945823892b0 |
memory/4244-142-0x0000000005390000-0x00000000056E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12cwqsxn.q4m.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nslnokot.xl
| MD5 | 8bc52a1186422e129c0dacb2f3740bae |
| SHA1 | c30eca43669e7e7122d74801a24079bd06e715aa |
| SHA256 | 061d5d78cffd6ba45ec6be56d58e90f4c3b1033cb700d2965a0d8fc24b098d8e |
| SHA512 | b44e57193adf35314676924dd85f27f7c73f6dc044590b9b1f51ffdf449a65daa6904b505da831af751007e2d4037cf617c3ad1c78caca0351c182770ca8d7ac |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mjvqtwjcxc.dll
| MD5 | 05289151577dbfb9b9da00d2976804c3 |
| SHA1 | 5f6aaad5d5d6a00872975b0db7253d963cc3bd50 |
| SHA256 | 39af376b2ca11e08c23c4b82826803704eb5accfe3dadd5643bdea8a7fa12b6d |
| SHA512 | 50bf9002221700c98c5997d8103f9478364d16bc2853ab4a01ac19147a6ad90b16ae61c24252f5667abd5e3d4e3886f6aa0c251c1e406a50eccba9d5b407b653 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lrtphskvo.mp3
| MD5 | f96ff517e1872d3d0833a4396ed5fb13 |
| SHA1 | 7895defa294bb3f85a9983244fadcd4e56736c5b |
| SHA256 | 87d300f970f25bdc5773f8d9dfb6a076af9bfee63c1f5519e2e1c8f709065e69 |
| SHA512 | c5e505118875234d27bf95952ef3ab52efee7cd2d4035830336fb3f8e8c66eef0902c16f47d3a5ff8d2c1a9c1c5e1cabe372dff4a114122962a5640a490cf21f |
memory/4584-78-0x0000000004EE0000-0x0000000005508000-memory.dmp
memory/1592-64-0x0000000002CD0000-0x0000000002D06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\emhdgqkk.ppt
| MD5 | 3c2527d519379be6527150634a61e3b5 |
| SHA1 | f2f30a0a9bc89a57c13f2ad9fcc4df684706f672 |
| SHA256 | 7302c0116d73564ad50b06e8dce5327cade742120b535810693d1b0bf411bb53 |
| SHA512 | 12f1559a8fa81e5a2d5a4a5d7c161eca4e1b73b0cfb7edcf19e0fb17748cede40e2489e7fad20d8be8efccfd385d0912df1a1fa579a432898e36734702c4bf77 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dexxnd.msc
| MD5 | 4fbc72d312e093beb8a3136219065822 |
| SHA1 | 398f941d09a6be7451487875864e14bf5ee00f25 |
| SHA256 | 20e3103abfd6c45bd15e8c9868259d7218319d2185268ef91bb7d72f4d71b666 |
| SHA512 | 67b7738e796ad0c941b111069e2afc1fab28d9b0f497f220de06ce394598442f25383718ee5bd1ebc7a7be673a3b68c1be68ac6271c4bdc92fed0e81c7211e0f |
memory/1592-193-0x0000000006800000-0x000000000684C000-memory.dmp
memory/1592-192-0x0000000006260000-0x000000000627E000-memory.dmp
memory/1592-213-0x0000000006790000-0x00000000067AE000-memory.dmp
memory/1592-203-0x000000006EA10000-0x000000006EA5C000-memory.dmp
memory/1592-202-0x0000000007240000-0x0000000007272000-memory.dmp
memory/1592-214-0x0000000007480000-0x0000000007523000-memory.dmp
memory/1592-233-0x0000000007BF0000-0x000000000826A000-memory.dmp
memory/1592-234-0x00000000075A0000-0x00000000075BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/2392-256-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-250-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-257-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-243-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-241-0x0000000000900000-0x0000000001900000-memory.dmp
memory/1592-270-0x0000000007610000-0x000000000761A000-memory.dmp
memory/1592-271-0x0000000007840000-0x00000000078D6000-memory.dmp
memory/1592-272-0x00000000077C0000-0x00000000077D1000-memory.dmp
memory/2392-275-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-274-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-273-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-278-0x0000000000900000-0x0000000001900000-memory.dmp
memory/1592-279-0x00000000077F0000-0x00000000077FE000-memory.dmp
memory/4792-280-0x000000006EA10000-0x000000006EA5C000-memory.dmp
memory/1592-290-0x0000000007800000-0x0000000007814000-memory.dmp
memory/1592-291-0x0000000007900000-0x000000000791A000-memory.dmp
memory/996-293-0x000000006EA10000-0x000000006EA5C000-memory.dmp
memory/1592-292-0x00000000078E0000-0x00000000078E8000-memory.dmp
memory/4804-304-0x000000006EA10000-0x000000006EA5C000-memory.dmp
memory/800-303-0x000000006EA10000-0x000000006EA5C000-memory.dmp
memory/4024-323-0x000000006EA10000-0x000000006EA5C000-memory.dmp
memory/2392-334-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-335-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-336-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-337-0x0000000000900000-0x0000000001900000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b5a69d44ebefafa1ec105f862a0af1a6 |
| SHA1 | 85ec57747ce919b756b5ce233f40e0710064cdfd |
| SHA256 | 283434011d2250465b4b729958fc2c65a26fc4797ccf5f3feec29dffb5185a98 |
| SHA512 | bb9c44ab534da0f5c8339c1fe7fd7600fd43788b2f91dc5152e8799cded6105007a383d37f58e5d3891d451618add5de1e12d3183c10ae72783214ea6e563b99 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 586400567165517bf85f4cfbc01df5ae |
| SHA1 | f42ce3b839fa2579f03b6ad0439822cea2d30cf4 |
| SHA256 | df09786a729f9907659cdf4ff2d0b9fcf0d0a56dbf2dfef2129dce2eab26fa36 |
| SHA512 | bc1e6f44aa37177f76e3ff32202300189bb1009ec27c719c559ae39026e91860d278db6d17e6508dbcfee83ed0bae9a54598e5a6bd35ed56bcb8406f7dfb6f9c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c5f4dbb3f93566dac535efdbc21b940 |
| SHA1 | 7b703d68a756331bef101096eb5ca00acfeb37c0 |
| SHA256 | 7e054274d303c334f4967885d345ec800cdebe771eb90f8d4b210968f8ce7a45 |
| SHA512 | fe557194b3239885dd284954b3bab23d113ae5797d3e9380f5466279bc1ceb7a56eae42f26ac9fc01fd2b0e29d6592f73475110c01ca1a0e958187692bfca89f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 649e86693d731ebe6f5f31be72e6780d |
| SHA1 | f104ab0dbe2178f9d8ef0a74b0c19470ad5bf91f |
| SHA256 | 937101bc48e7e71527c0a8f026eca28e35cd95b14842c0e22ce32d2fa53dc332 |
| SHA512 | 35a431acb988b99ca63ae01ddef833ced7046ba13ad86f810273a5ab978297c22d22fcfad747b83aaa75ec2ae23ae1e71d6da7fb80cdfd2ab93fbec8d9781994 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 53b98cd096dbbfbdc40b525a4f775714 |
| SHA1 | 4589fcb366197ce247795290ca7ef7a13a52230d |
| SHA256 | 05a5f0a895f939a15378e4f9ca8f60649b1c4de4f2d9715e75e85a87125da884 |
| SHA512 | 33234fc294169b8e931617e59e479fc8f3ebc44972b287370b95783b1d7f788a87cf3efe24476092992b10f9f515a57c221aa74918caf1fd5ce24f168fca6a77 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 63c28042835007aff37bda4ed413fee9 |
| SHA1 | fefc21bc12ee694326df71f412941d27acb503d1 |
| SHA256 | 499bbf82fa60381aef0c2c067e525e14dd9a0b3b08ccb282e9b42534375516c2 |
| SHA512 | 6d7cfe5ca90e2c02113bbbee3877748ada749d15fb764b603f1466236338ba20f0f30e94653e55b8eb32d275c2c7ff00ac28de0055dacdca43baa8d9dfbe316f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3bf6890be13a04eef112ee2c07d0d302 |
| SHA1 | 0fe955e702a75d70b86b6df54242134b5f7aaf91 |
| SHA256 | 58165ca43312dc8cda0036467f8096ec788a0073f808edaccf419f9382e35c83 |
| SHA512 | 4d747886bfe624661a17353d62649f3d63ebbc6d63196485d2cbec0a8962eefdba5fbde4c6a305cced81eb15b893637fe2e74fe8106a296072e48abfb46643ce |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 946655954d9cfd883ec280edf37e1d3d |
| SHA1 | ad9355caaf0016e2e843515d52b79e1805ab3814 |
| SHA256 | 4fb834d13867e049eb0e847e413cb2d0308ba79cf30c2a8ae04003dbb80c2a72 |
| SHA512 | 2bcdc7a8fd1ed226014f0067f31b1acd6715bd4b046bd27f26c9eac9d888c753041c672c46097997542f106224369ed68dff4fb1bda1ae8c5287a058e7589d16 |
memory/2392-361-0x0000000000900000-0x0000000001900000-memory.dmp
memory/4092-373-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1776-379-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1776-381-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1776-377-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4092-375-0x0000000000400000-0x0000000000462000-memory.dmp
memory/436-374-0x0000000000400000-0x0000000000478000-memory.dmp
memory/436-372-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4092-367-0x0000000000400000-0x0000000000462000-memory.dmp
memory/436-363-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2392-391-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2392-390-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2392-387-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rnoqhkxdmscuzbooexqcwsmecpep
| MD5 | 883af97f5f6dddc6f8cb495b841ec9ae |
| SHA1 | 225c3118ce7f9c747b891548fc637f41975bc8d0 |
| SHA256 | fcb197376fc607f9493ea0460ecac86ca5ae8973120894c6f8353b67e28995d9 |
| SHA512 | 8ae27cb74d4d3641a3ac7dca2bbf9f8d4b89a012fb723ced33db319d24bde80e90293c0f10d2713fd024ce800f57bafd3e6d1feb4cde973eea56f4c581052b23 |
memory/2392-392-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-393-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-394-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-395-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-396-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-397-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-398-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-400-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-399-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-402-0x0000000000900000-0x0000000001900000-memory.dmp
memory/2392-401-0x0000000000900000-0x0000000001900000-memory.dmp