Malware Analysis Report

2024-12-07 22:44

Sample ID 240719-q5asasthml
Target 096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe
SHA256 096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf
Tags
remcos riches evasion execution persistence rat collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf

Threat Level: Known bad

The file 096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe was found to be: Known bad.

Malicious Activity Summary

remcos riches evasion execution persistence rat collection spyware stealer

Remcos

NirSoft WebBrowserPassView

NirSoft MailPassView

Detected Nirsoft tools

Disables Task Manager via registry modification

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 13:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 13:50

Reported

2024-07-19 13:53

Platform

win7-20240704-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe"

Signatures

Remcos

rat remcos

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Desktop Outlook = "C:\\Users\\Admin\\AppData\\Roaming\\awgo\\EOCCFR~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\awgo\\lkjaaj.msc" C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2636 set thread context of 2880 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe C:\Windows\SysWOW64\WScript.exe
PID 1232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe C:\Windows\SysWOW64\WScript.exe
PID 1232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe C:\Windows\SysWOW64\WScript.exe
PID 1232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe C:\Windows\SysWOW64\WScript.exe
PID 2892 wrote to memory of 2772 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2772 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2772 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2772 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2772 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2772 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2772 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1268 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
PID 1268 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
PID 1268 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
PID 1268 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
PID 2636 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 556 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 2476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 2476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 2476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 2476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1652 wrote to memory of 276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1652 wrote to memory of 276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1652 wrote to memory of 276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1652 wrote to memory of 276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe

"C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\juix.vbe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c eoccfrsi.msc lkjaaj.msc

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc

eoccfrsi.msc lkjaaj.msc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "C:\Users\Admin\AppData\Roaming\awgo\EOCCFR~1.EXE C:\Users\Admin\AppData\Roaming\awgo\lkjaaj.msc"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "C:\Users\Admin\AppData\Roaming\awgo\EOCCFR~1.EXE C:\Users\Admin\AppData\Roaming\awgo\lkjaaj.msc"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
US 75.127.7.188:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 75.127.7.188:2404 tcp
US 75.127.7.188:2404 tcp
US 75.127.7.188:2404 tcp
US 75.127.7.188:2404 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\juix.vbe

MD5 004a8063aa902f25a2a60018fc35d3a9
SHA1 47ea2f98c80abfa5de178755677c7f611a9e2ce8
SHA256 4f042809ed74459f70ad83b91f8308ba1dad0be6fe35c73a751960403823bd6a
SHA512 ff119c33a1176247c4409e97a2123d0e236b40b83c010811fecd0922d6fe0095f5c469963a3229ae7b9db3e882ae17746b15d1d1ec27508060b86183044f45eb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc

MD5 31db1d81c80c66640b773c535cdfa762
SHA1 9cfffe3e21ab746e18db1447bf339d1af2118570
SHA256 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211
SHA512 c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mjvqtwjcxc.dll

MD5 8935c2ba9f22d65161fff70e643e92ee
SHA1 4a6823c4ae819e18b15171bb289d8c5ca813422e
SHA256 f64b5ef00337821844a2485c18c5d0bdae3c705e85e2e1ce8b864e060c8b74f8
SHA512 0a78309d6bbf4f01da9fbb3f97b84eb773da372b659fd8d7ae8c4e4e1079477788533c86df952332217a89f19f52b8c919ad0cc878fc7fac76a1c2214129098d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ghlouehf.txt

MD5 d6d3a3233d7cf818aab5262f8a497881
SHA1 4e125b6adaa9e4108344c50ed9ab76c633b66a46
SHA256 0f742bfdff8013d1f61617446f5e3951e094314a29a25bebb5052eabe5e3d3a0
SHA512 41010ff3deb6944287189f9467830d4f3e61d386963ed777d5a934c955fd38b798320e77db0125159e7f3e0bafab97c30224d4e082808ac09401feea5359107f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\kdootbdd.dll

MD5 07985a733f71f7c45ce37ca0cd913dab
SHA1 823a038c3da489e3c74ac045bd65446bf0d8bf5a
SHA256 8aa5e280d8b9256d33bb4b2c105cba4f62bbf9c3c5c4b9bc6bc8c6ee6ff6a165
SHA512 b9d8c0c9889ec1973711581b245ad1cc5f749647f283d9713af9d6230c12d23eaa816fedb518f232e6483c42dcf0d2e9d05898cdb8dc2edbdbce9a3ab3d6ec7c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jlknkx.dll

MD5 1b438f72e1fff271d24021430d6c3ebe
SHA1 49df6d07cb5ffceb19bf070a004ac70c41d41786
SHA256 67ac5749336fe9cbca652dd9e3ac4d03519e1c161a395691a0f5580ed545f453
SHA512 e4f7a5a9d1e77b87cf7b00c959017ee78ceba605496c161f170b5c5a35edfcf1b4168b0d91c43b7009d9294bdff802d5be62a15bab2bdc68e0cd4cd97c807206

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gpvttmwcco.docx

MD5 23831215c860dabf02d3ea85e1415a4f
SHA1 90c69d7e72ebd4774a0b330908cfb1564cc7a96e
SHA256 e783d53e94c1b90d8225f5fcb6bfa5ad6df2c9b578791c7472cd63f607a2a80c
SHA512 1c547f8a9bc3dc2576b880d5e83fb1aa3581bb922acc7b76838e19202d114c598c388c4ff927ab51c85d3460d8375eb01014b2d24826e5169aade6e79a3f4ab1

C:\Users\Admin\AppData\Roaming\awgo\mjvqtwjcxc.dll

MD5 05289151577dbfb9b9da00d2976804c3
SHA1 5f6aaad5d5d6a00872975b0db7253d963cc3bd50
SHA256 39af376b2ca11e08c23c4b82826803704eb5accfe3dadd5643bdea8a7fa12b6d
SHA512 50bf9002221700c98c5997d8103f9478364d16bc2853ab4a01ac19147a6ad90b16ae61c24252f5667abd5e3d4e3886f6aa0c251c1e406a50eccba9d5b407b653

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lrtphskvo.mp3

MD5 f96ff517e1872d3d0833a4396ed5fb13
SHA1 7895defa294bb3f85a9983244fadcd4e56736c5b
SHA256 87d300f970f25bdc5773f8d9dfb6a076af9bfee63c1f5519e2e1c8f709065e69
SHA512 c5e505118875234d27bf95952ef3ab52efee7cd2d4035830336fb3f8e8c66eef0902c16f47d3a5ff8d2c1a9c1c5e1cabe372dff4a114122962a5640a490cf21f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nslnokot.xl

MD5 8bc52a1186422e129c0dacb2f3740bae
SHA1 c30eca43669e7e7122d74801a24079bd06e715aa
SHA256 061d5d78cffd6ba45ec6be56d58e90f4c3b1033cb700d2965a0d8fc24b098d8e
SHA512 b44e57193adf35314676924dd85f27f7c73f6dc044590b9b1f51ffdf449a65daa6904b505da831af751007e2d4037cf617c3ad1c78caca0351c182770ca8d7ac

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rvkmtj.bin

MD5 20c3960284681d57870501f88ab90ce0
SHA1 ba73c87174e3aa7fe1d5abae87a4f1ad6b00bca6
SHA256 7e7d92f5e021bf85541cfc97760915f7bc3717b13da995704ede1ac822ad0437
SHA512 032381905afb553bb88f2885b1a2bee668b26f67f202ddc107590bf03cbdff492d73dd7d62ea3391e6543d90f1fff7c081b08afa7c65ba6dc5eb7009f1b60242

C:\Users\Admin\AppData\Local\Temp\RarSFX0\emhdgqkk.ppt

MD5 3c2527d519379be6527150634a61e3b5
SHA1 f2f30a0a9bc89a57c13f2ad9fcc4df684706f672
SHA256 7302c0116d73564ad50b06e8dce5327cade742120b535810693d1b0bf411bb53
SHA512 12f1559a8fa81e5a2d5a4a5d7c161eca4e1b73b0cfb7edcf19e0fb17748cede40e2489e7fad20d8be8efccfd385d0912df1a1fa579a432898e36734702c4bf77

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dexxnd.msc

MD5 4fbc72d312e093beb8a3136219065822
SHA1 398f941d09a6be7451487875864e14bf5ee00f25
SHA256 20e3103abfd6c45bd15e8c9868259d7218319d2185268ef91bb7d72f4d71b666
SHA512 67b7738e796ad0c941b111069e2afc1fab28d9b0f497f220de06ce394598442f25383718ee5bd1ebc7a7be673a3b68c1be68ac6271c4bdc92fed0e81c7211e0f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqkhe.icm

MD5 5581b6d2b6b75702e0103dad918690e7
SHA1 ae2326064713172bb6bd3942c02bd374fbbc72c2
SHA256 c7c2d274186b27e864102c5b0ef98d733c5d1059b28345fc7c7699b4c5ad84cf
SHA512 770252372c1a384f683ae990b0f3ff56022ddaf537890d9882819e64ab88186c46a9f95b39a8d97ff194dd1167b993971c9adf5bb30b4ec3bb87c96e0536466c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tbbsgeqa.dll

MD5 8a7de2188bc4fbcea9b77b3855c3319f
SHA1 7d5234ee4135bffe814d4221c4533300d79c3b42
SHA256 554ae23bcf441c91b664e802249e7177498c7efdc41f6011b62c8e15ac875a97
SHA512 6d13762a7a71b644aa174009665674e52f9f9830522af2688becaf8ec9686994ead7836870dc2f6b1b810f464db613fcd0cc55aa7c90a34f2254eb9d5326d301

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pgqqpkgosi.msc

MD5 e816bfb27c7b5b628e1062cca9577257
SHA1 54746bb1ac29cf251577b2d41d88e33df4d243cc
SHA256 ec54ef8d547f6b413159a5cdf006a022fe19467f044d58442a691a82908878a3
SHA512 fd461403f4399f7f7209900d09b5b4296f94046300028240fb8ffb523600f83b1d8a73e85398f04e55c3054c49b0ac69d55d637f83221202911924e497d4bb1c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tepnjh.dxh

MD5 3b5ad23ea9ef85bf03191c08d0362ffe
SHA1 3f5f9ce3e99c107fda49ec6e10221f7bdaacea30
SHA256 fd5011e6560f01bd34a3116f6c73b4a7c09442b9926e47a53d64486033b871ae
SHA512 091aa5695edcd9d3e4edf9fc21bce017ab4bb89cde02eaf00ab6353baa4131f1b97d2114c6d6b6fbd964a66f2fe76f975eeb21c7ab8e4058048ace0fd5c19397

C:\Users\Admin\AppData\Local\Temp\RarSFX0\texrrjumle.dll

MD5 1ab25e716281bf231ac3d32bd1e88d92
SHA1 9111b7b613fcad290f31a1504ae97b8321a28607
SHA256 38885d4f8516f7830d6a46aac1602b89b6ee3c85a7fec6267aa59b18d9ec21a5
SHA512 0d3919dfa4ed5a5785f88c41ebc0cb5bdaa9a6e5b0871fb0b94dcae764069b02ed42750e74b24a5738378e63ce3b840e6f63bd0fbbc847dd5fff5ccafb31ded7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tkqkr.bmp

MD5 099d19dba7ae668571f2f966436eec2b
SHA1 4ffd0761ebb42b692bacbb922afe97610f9eea18
SHA256 23166dd60c3c6614b7cdc516d5d9309a92817fc692784494ebe72d22eeec5736
SHA512 9748043405a2e25a7945d8b6af7dbe616ef27a855cd4d8ed449e9572b17d1dcbdc5885ac3951e044e537ee08a6d60dc60a4acb9099cd518cfb149696dad162aa

C:\Users\Admin\AppData\Local\Temp\RarSFX0\odsmlp.bin

MD5 f0c663c98d2c84c31bd24f8ac6a3716e
SHA1 4a5ed1a6a413bdb83bfd845d5d1799f36d2e0033
SHA256 9e80f7cd7113fd2cec9a2b3abfe073eb74b6582bd16e668dbb0298a1a8c51704
SHA512 347d8b4aa432c8e9db0a808d0b7a4eb68c52775ab359ee367ea097a600b111143aae5c26aee69715b551131a49a4c3f1ace0036ae5846bc74b4eb945823892b0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vlkpbokcl.jpg

MD5 3f7b3d13ae3087fc81b69a9092490afa
SHA1 9f0141684f1fbab4d4d372afb81f28abfb71de7e
SHA256 72a0263259831d8a1597e94d7019c1721b80febd664f7297612f5b98d3b57e33
SHA512 705e6a778057b265cd95fe4079598987184a6b5a1f23748cf2339b089c3467ab87fe803c30154ca198c760aedd440d1d7a61210b57e5fcef75d903dcc827733c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\waxmcshnxg.msc

MD5 eae9e9ddbfff09d7941b2224ba7e5765
SHA1 53341f499ca08dcc3c67a4d68f6ea18fda0ead75
SHA256 4c57baff128fd73131bd2f928e6a2d034118f22f79608ca915d9061f45c85161
SHA512 fbafd8126f9d44e3eb22783fc7751e85ab81538a3aea1268122672e9fb05d33798335a2769e89499203c8048abbcb623075685685585a33cd1e018a23412a406

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xnxrl.bmp

MD5 3da8ca1447d337664bf24b4486964a50
SHA1 82cd9ecaadba7be06cd2d511d06652a235149146
SHA256 ad0c11d42c262343733117eed3c7c862fd0c0286cac1940991cf15d10f6b9106
SHA512 b7abbf6e5b99726d094a08eb3a100d3df7df45449a1735bf50e016d94bc9356d21c172b124b9ef219455b5d524647f3ca107cfaf30815b5c83c1876161e77eda

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 623e499ed5de8643b83a58a7f5b57484
SHA1 7d22dd5414f0d0e8af103026dbbbf62b87c09cc2
SHA256 fdb1cc1e2607c183038943a2773410d852f73764c756c44be057f706938ed396
SHA512 3b7468bbf2b1492aaba5f03f3268ec0e8bd32c282fe05081460311ca7568d2108347bbe62150a2bfd7471649f5f6b223bfb63f47a339cd71e08e8d87d9934536

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/2880-192-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-197-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-201-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-198-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-195-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-194-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2880-202-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-203-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-204-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-206-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-210-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-209-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-212-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-213-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-214-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-215-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-216-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-217-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-218-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-219-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-221-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-220-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-223-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-222-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-224-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-225-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-226-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-227-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-228-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-229-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-230-0x00000000003B0000-0x00000000013B0000-memory.dmp

memory/2880-231-0x00000000003B0000-0x00000000013B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 13:50

Reported

2024-07-19 13:52

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Desktop Outlook = "C:\\Users\\Admin\\AppData\\Roaming\\awgo\\EOCCFR~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\awgo\\lkjaaj.msc" C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe C:\Windows\SysWOW64\WScript.exe
PID 3648 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe C:\Windows\SysWOW64\WScript.exe
PID 3648 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe C:\Windows\SysWOW64\WScript.exe
PID 1412 wrote to memory of 2628 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 2628 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 2628 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 3508 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 3508 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 3508 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2628 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2628 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3508 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
PID 3508 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
PID 3508 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc
PID 2372 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 896 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3488 wrote to memory of 996 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 996 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3488 wrote to memory of 996 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1960 wrote to memory of 4804 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1960 wrote to memory of 4804 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1960 wrote to memory of 4804 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 4792 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 4792 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 4792 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2372 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2372 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2372 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2372 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2392 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2392 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2392 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2392 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2392 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe

"C:\Users\Admin\AppData\Local\Temp\096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\juix.vbe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c eoccfrsi.msc lkjaaj.msc

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc

eoccfrsi.msc lkjaaj.msc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "C:\Users\Admin\AppData\Roaming\awgo\EOCCFR~1.EXE C:\Users\Admin\AppData\Roaming\awgo\lkjaaj.msc"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnoqhkxdmscuzbooexqcwsmecpep"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\chtbadifiauhbqcsvidvhfhuldvybjqd"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\chtbadifiauhbqcsvidvhfhuldvybjqd"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\ejzt"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\ejzt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 75.127.7.188:2404 tcp
US 8.8.8.8:53 188.7.127.75.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 75.127.7.188:2404 tcp
US 75.127.7.188:2404 tcp
US 75.127.7.188:2404 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\juix.vbe

MD5 004a8063aa902f25a2a60018fc35d3a9
SHA1 47ea2f98c80abfa5de178755677c7f611a9e2ce8
SHA256 4f042809ed74459f70ad83b91f8308ba1dad0be6fe35c73a751960403823bd6a
SHA512 ff119c33a1176247c4409e97a2123d0e236b40b83c010811fecd0922d6fe0095f5c469963a3229ae7b9db3e882ae17746b15d1d1ec27508060b86183044f45eb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\eoccfrsi.msc

MD5 31db1d81c80c66640b773c535cdfa762
SHA1 9cfffe3e21ab746e18db1447bf339d1af2118570
SHA256 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211
SHA512 c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mjvqtwjcxc.dll

MD5 8935c2ba9f22d65161fff70e643e92ee
SHA1 4a6823c4ae819e18b15171bb289d8c5ca813422e
SHA256 f64b5ef00337821844a2485c18c5d0bdae3c705e85e2e1ce8b864e060c8b74f8
SHA512 0a78309d6bbf4f01da9fbb3f97b84eb773da372b659fd8d7ae8c4e4e1079477788533c86df952332217a89f19f52b8c919ad0cc878fc7fac76a1c2214129098d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\kdootbdd.dll

MD5 07985a733f71f7c45ce37ca0cd913dab
SHA1 823a038c3da489e3c74ac045bd65446bf0d8bf5a
SHA256 8aa5e280d8b9256d33bb4b2c105cba4f62bbf9c3c5c4b9bc6bc8c6ee6ff6a165
SHA512 b9d8c0c9889ec1973711581b245ad1cc5f749647f283d9713af9d6230c12d23eaa816fedb518f232e6483c42dcf0d2e9d05898cdb8dc2edbdbce9a3ab3d6ec7c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jlknkx.dll

MD5 1b438f72e1fff271d24021430d6c3ebe
SHA1 49df6d07cb5ffceb19bf070a004ac70c41d41786
SHA256 67ac5749336fe9cbca652dd9e3ac4d03519e1c161a395691a0f5580ed545f453
SHA512 e4f7a5a9d1e77b87cf7b00c959017ee78ceba605496c161f170b5c5a35edfcf1b4168b0d91c43b7009d9294bdff802d5be62a15bab2bdc68e0cd4cd97c807206

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gpvttmwcco.docx

MD5 23831215c860dabf02d3ea85e1415a4f
SHA1 90c69d7e72ebd4774a0b330908cfb1564cc7a96e
SHA256 e783d53e94c1b90d8225f5fcb6bfa5ad6df2c9b578791c7472cd63f607a2a80c
SHA512 1c547f8a9bc3dc2576b880d5e83fb1aa3581bb922acc7b76838e19202d114c598c388c4ff927ab51c85d3460d8375eb01014b2d24826e5169aade6e79a3f4ab1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ghlouehf.txt

MD5 d6d3a3233d7cf818aab5262f8a497881
SHA1 4e125b6adaa9e4108344c50ed9ab76c633b66a46
SHA256 0f742bfdff8013d1f61617446f5e3951e094314a29a25bebb5052eabe5e3d3a0
SHA512 41010ff3deb6944287189f9467830d4f3e61d386963ed777d5a934c955fd38b798320e77db0125159e7f3e0bafab97c30224d4e082808ac09401feea5359107f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xnxrl.bmp

MD5 3da8ca1447d337664bf24b4486964a50
SHA1 82cd9ecaadba7be06cd2d511d06652a235149146
SHA256 ad0c11d42c262343733117eed3c7c862fd0c0286cac1940991cf15d10f6b9106
SHA512 b7abbf6e5b99726d094a08eb3a100d3df7df45449a1735bf50e016d94bc9356d21c172b124b9ef219455b5d524647f3ca107cfaf30815b5c83c1876161e77eda

C:\Users\Admin\AppData\Local\Temp\RarSFX0\waxmcshnxg.msc

MD5 eae9e9ddbfff09d7941b2224ba7e5765
SHA1 53341f499ca08dcc3c67a4d68f6ea18fda0ead75
SHA256 4c57baff128fd73131bd2f928e6a2d034118f22f79608ca915d9061f45c85161
SHA512 fbafd8126f9d44e3eb22783fc7751e85ab81538a3aea1268122672e9fb05d33798335a2769e89499203c8048abbcb623075685685585a33cd1e018a23412a406

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vlkpbokcl.jpg

MD5 3f7b3d13ae3087fc81b69a9092490afa
SHA1 9f0141684f1fbab4d4d372afb81f28abfb71de7e
SHA256 72a0263259831d8a1597e94d7019c1721b80febd664f7297612f5b98d3b57e33
SHA512 705e6a778057b265cd95fe4079598987184a6b5a1f23748cf2339b089c3467ab87fe803c30154ca198c760aedd440d1d7a61210b57e5fcef75d903dcc827733c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tkqkr.bmp

MD5 099d19dba7ae668571f2f966436eec2b
SHA1 4ffd0761ebb42b692bacbb922afe97610f9eea18
SHA256 23166dd60c3c6614b7cdc516d5d9309a92817fc692784494ebe72d22eeec5736
SHA512 9748043405a2e25a7945d8b6af7dbe616ef27a855cd4d8ed449e9572b17d1dcbdc5885ac3951e044e537ee08a6d60dc60a4acb9099cd518cfb149696dad162aa

C:\Users\Admin\AppData\Local\Temp\RarSFX0\texrrjumle.dll

MD5 1ab25e716281bf231ac3d32bd1e88d92
SHA1 9111b7b613fcad290f31a1504ae97b8321a28607
SHA256 38885d4f8516f7830d6a46aac1602b89b6ee3c85a7fec6267aa59b18d9ec21a5
SHA512 0d3919dfa4ed5a5785f88c41ebc0cb5bdaa9a6e5b0871fb0b94dcae764069b02ed42750e74b24a5738378e63ce3b840e6f63bd0fbbc847dd5fff5ccafb31ded7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tepnjh.dxh

MD5 3b5ad23ea9ef85bf03191c08d0362ffe
SHA1 3f5f9ce3e99c107fda49ec6e10221f7bdaacea30
SHA256 fd5011e6560f01bd34a3116f6c73b4a7c09442b9926e47a53d64486033b871ae
SHA512 091aa5695edcd9d3e4edf9fc21bce017ab4bb89cde02eaf00ab6353baa4131f1b97d2114c6d6b6fbd964a66f2fe76f975eeb21c7ab8e4058048ace0fd5c19397

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tbbsgeqa.dll

MD5 8a7de2188bc4fbcea9b77b3855c3319f
SHA1 7d5234ee4135bffe814d4221c4533300d79c3b42
SHA256 554ae23bcf441c91b664e802249e7177498c7efdc41f6011b62c8e15ac875a97
SHA512 6d13762a7a71b644aa174009665674e52f9f9830522af2688becaf8ec9686994ead7836870dc2f6b1b810f464db613fcd0cc55aa7c90a34f2254eb9d5326d301

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqkhe.icm

MD5 5581b6d2b6b75702e0103dad918690e7
SHA1 ae2326064713172bb6bd3942c02bd374fbbc72c2
SHA256 c7c2d274186b27e864102c5b0ef98d733c5d1059b28345fc7c7699b4c5ad84cf
SHA512 770252372c1a384f683ae990b0f3ff56022ddaf537890d9882819e64ab88186c46a9f95b39a8d97ff194dd1167b993971c9adf5bb30b4ec3bb87c96e0536466c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rvkmtj.bin

MD5 20c3960284681d57870501f88ab90ce0
SHA1 ba73c87174e3aa7fe1d5abae87a4f1ad6b00bca6
SHA256 7e7d92f5e021bf85541cfc97760915f7bc3717b13da995704ede1ac822ad0437
SHA512 032381905afb553bb88f2885b1a2bee668b26f67f202ddc107590bf03cbdff492d73dd7d62ea3391e6543d90f1fff7c081b08afa7c65ba6dc5eb7009f1b60242

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pgqqpkgosi.msc

MD5 e816bfb27c7b5b628e1062cca9577257
SHA1 54746bb1ac29cf251577b2d41d88e33df4d243cc
SHA256 ec54ef8d547f6b413159a5cdf006a022fe19467f044d58442a691a82908878a3
SHA512 fd461403f4399f7f7209900d09b5b4296f94046300028240fb8ffb523600f83b1d8a73e85398f04e55c3054c49b0ac69d55d637f83221202911924e497d4bb1c

memory/4244-135-0x00000000049B0000-0x0000000004A16000-memory.dmp

memory/1592-134-0x00000000051B0000-0x00000000051D2000-memory.dmp

memory/4244-136-0x0000000004A20000-0x0000000004A86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\odsmlp.bin

MD5 f0c663c98d2c84c31bd24f8ac6a3716e
SHA1 4a5ed1a6a413bdb83bfd845d5d1799f36d2e0033
SHA256 9e80f7cd7113fd2cec9a2b3abfe073eb74b6582bd16e668dbb0298a1a8c51704
SHA512 347d8b4aa432c8e9db0a808d0b7a4eb68c52775ab359ee367ea097a600b111143aae5c26aee69715b551131a49a4c3f1ace0036ae5846bc74b4eb945823892b0

memory/4244-142-0x0000000005390000-0x00000000056E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12cwqsxn.q4m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nslnokot.xl

MD5 8bc52a1186422e129c0dacb2f3740bae
SHA1 c30eca43669e7e7122d74801a24079bd06e715aa
SHA256 061d5d78cffd6ba45ec6be56d58e90f4c3b1033cb700d2965a0d8fc24b098d8e
SHA512 b44e57193adf35314676924dd85f27f7c73f6dc044590b9b1f51ffdf449a65daa6904b505da831af751007e2d4037cf617c3ad1c78caca0351c182770ca8d7ac

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mjvqtwjcxc.dll

MD5 05289151577dbfb9b9da00d2976804c3
SHA1 5f6aaad5d5d6a00872975b0db7253d963cc3bd50
SHA256 39af376b2ca11e08c23c4b82826803704eb5accfe3dadd5643bdea8a7fa12b6d
SHA512 50bf9002221700c98c5997d8103f9478364d16bc2853ab4a01ac19147a6ad90b16ae61c24252f5667abd5e3d4e3886f6aa0c251c1e406a50eccba9d5b407b653

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lrtphskvo.mp3

MD5 f96ff517e1872d3d0833a4396ed5fb13
SHA1 7895defa294bb3f85a9983244fadcd4e56736c5b
SHA256 87d300f970f25bdc5773f8d9dfb6a076af9bfee63c1f5519e2e1c8f709065e69
SHA512 c5e505118875234d27bf95952ef3ab52efee7cd2d4035830336fb3f8e8c66eef0902c16f47d3a5ff8d2c1a9c1c5e1cabe372dff4a114122962a5640a490cf21f

memory/4584-78-0x0000000004EE0000-0x0000000005508000-memory.dmp

memory/1592-64-0x0000000002CD0000-0x0000000002D06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\emhdgqkk.ppt

MD5 3c2527d519379be6527150634a61e3b5
SHA1 f2f30a0a9bc89a57c13f2ad9fcc4df684706f672
SHA256 7302c0116d73564ad50b06e8dce5327cade742120b535810693d1b0bf411bb53
SHA512 12f1559a8fa81e5a2d5a4a5d7c161eca4e1b73b0cfb7edcf19e0fb17748cede40e2489e7fad20d8be8efccfd385d0912df1a1fa579a432898e36734702c4bf77

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dexxnd.msc

MD5 4fbc72d312e093beb8a3136219065822
SHA1 398f941d09a6be7451487875864e14bf5ee00f25
SHA256 20e3103abfd6c45bd15e8c9868259d7218319d2185268ef91bb7d72f4d71b666
SHA512 67b7738e796ad0c941b111069e2afc1fab28d9b0f497f220de06ce394598442f25383718ee5bd1ebc7a7be673a3b68c1be68ac6271c4bdc92fed0e81c7211e0f

memory/1592-193-0x0000000006800000-0x000000000684C000-memory.dmp

memory/1592-192-0x0000000006260000-0x000000000627E000-memory.dmp

memory/1592-213-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/1592-203-0x000000006EA10000-0x000000006EA5C000-memory.dmp

memory/1592-202-0x0000000007240000-0x0000000007272000-memory.dmp

memory/1592-214-0x0000000007480000-0x0000000007523000-memory.dmp

memory/1592-233-0x0000000007BF0000-0x000000000826A000-memory.dmp

memory/1592-234-0x00000000075A0000-0x00000000075BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/2392-256-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-250-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-257-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-243-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-241-0x0000000000900000-0x0000000001900000-memory.dmp

memory/1592-270-0x0000000007610000-0x000000000761A000-memory.dmp

memory/1592-271-0x0000000007840000-0x00000000078D6000-memory.dmp

memory/1592-272-0x00000000077C0000-0x00000000077D1000-memory.dmp

memory/2392-275-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-274-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-273-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-278-0x0000000000900000-0x0000000001900000-memory.dmp

memory/1592-279-0x00000000077F0000-0x00000000077FE000-memory.dmp

memory/4792-280-0x000000006EA10000-0x000000006EA5C000-memory.dmp

memory/1592-290-0x0000000007800000-0x0000000007814000-memory.dmp

memory/1592-291-0x0000000007900000-0x000000000791A000-memory.dmp

memory/996-293-0x000000006EA10000-0x000000006EA5C000-memory.dmp

memory/1592-292-0x00000000078E0000-0x00000000078E8000-memory.dmp

memory/4804-304-0x000000006EA10000-0x000000006EA5C000-memory.dmp

memory/800-303-0x000000006EA10000-0x000000006EA5C000-memory.dmp

memory/4024-323-0x000000006EA10000-0x000000006EA5C000-memory.dmp

memory/2392-334-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-335-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-336-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-337-0x0000000000900000-0x0000000001900000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b5a69d44ebefafa1ec105f862a0af1a6
SHA1 85ec57747ce919b756b5ce233f40e0710064cdfd
SHA256 283434011d2250465b4b729958fc2c65a26fc4797ccf5f3feec29dffb5185a98
SHA512 bb9c44ab534da0f5c8339c1fe7fd7600fd43788b2f91dc5152e8799cded6105007a383d37f58e5d3891d451618add5de1e12d3183c10ae72783214ea6e563b99

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 586400567165517bf85f4cfbc01df5ae
SHA1 f42ce3b839fa2579f03b6ad0439822cea2d30cf4
SHA256 df09786a729f9907659cdf4ff2d0b9fcf0d0a56dbf2dfef2129dce2eab26fa36
SHA512 bc1e6f44aa37177f76e3ff32202300189bb1009ec27c719c559ae39026e91860d278db6d17e6508dbcfee83ed0bae9a54598e5a6bd35ed56bcb8406f7dfb6f9c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c5f4dbb3f93566dac535efdbc21b940
SHA1 7b703d68a756331bef101096eb5ca00acfeb37c0
SHA256 7e054274d303c334f4967885d345ec800cdebe771eb90f8d4b210968f8ce7a45
SHA512 fe557194b3239885dd284954b3bab23d113ae5797d3e9380f5466279bc1ceb7a56eae42f26ac9fc01fd2b0e29d6592f73475110c01ca1a0e958187692bfca89f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 649e86693d731ebe6f5f31be72e6780d
SHA1 f104ab0dbe2178f9d8ef0a74b0c19470ad5bf91f
SHA256 937101bc48e7e71527c0a8f026eca28e35cd95b14842c0e22ce32d2fa53dc332
SHA512 35a431acb988b99ca63ae01ddef833ced7046ba13ad86f810273a5ab978297c22d22fcfad747b83aaa75ec2ae23ae1e71d6da7fb80cdfd2ab93fbec8d9781994

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 53b98cd096dbbfbdc40b525a4f775714
SHA1 4589fcb366197ce247795290ca7ef7a13a52230d
SHA256 05a5f0a895f939a15378e4f9ca8f60649b1c4de4f2d9715e75e85a87125da884
SHA512 33234fc294169b8e931617e59e479fc8f3ebc44972b287370b95783b1d7f788a87cf3efe24476092992b10f9f515a57c221aa74918caf1fd5ce24f168fca6a77

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 63c28042835007aff37bda4ed413fee9
SHA1 fefc21bc12ee694326df71f412941d27acb503d1
SHA256 499bbf82fa60381aef0c2c067e525e14dd9a0b3b08ccb282e9b42534375516c2
SHA512 6d7cfe5ca90e2c02113bbbee3877748ada749d15fb764b603f1466236338ba20f0f30e94653e55b8eb32d275c2c7ff00ac28de0055dacdca43baa8d9dfbe316f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3bf6890be13a04eef112ee2c07d0d302
SHA1 0fe955e702a75d70b86b6df54242134b5f7aaf91
SHA256 58165ca43312dc8cda0036467f8096ec788a0073f808edaccf419f9382e35c83
SHA512 4d747886bfe624661a17353d62649f3d63ebbc6d63196485d2cbec0a8962eefdba5fbde4c6a305cced81eb15b893637fe2e74fe8106a296072e48abfb46643ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 946655954d9cfd883ec280edf37e1d3d
SHA1 ad9355caaf0016e2e843515d52b79e1805ab3814
SHA256 4fb834d13867e049eb0e847e413cb2d0308ba79cf30c2a8ae04003dbb80c2a72
SHA512 2bcdc7a8fd1ed226014f0067f31b1acd6715bd4b046bd27f26c9eac9d888c753041c672c46097997542f106224369ed68dff4fb1bda1ae8c5287a058e7589d16

memory/2392-361-0x0000000000900000-0x0000000001900000-memory.dmp

memory/4092-373-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1776-379-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1776-381-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1776-377-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4092-375-0x0000000000400000-0x0000000000462000-memory.dmp

memory/436-374-0x0000000000400000-0x0000000000478000-memory.dmp

memory/436-372-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4092-367-0x0000000000400000-0x0000000000462000-memory.dmp

memory/436-363-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2392-391-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2392-390-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2392-387-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rnoqhkxdmscuzbooexqcwsmecpep

MD5 883af97f5f6dddc6f8cb495b841ec9ae
SHA1 225c3118ce7f9c747b891548fc637f41975bc8d0
SHA256 fcb197376fc607f9493ea0460ecac86ca5ae8973120894c6f8353b67e28995d9
SHA512 8ae27cb74d4d3641a3ac7dca2bbf9f8d4b89a012fb723ced33db319d24bde80e90293c0f10d2713fd024ce800f57bafd3e6d1feb4cde973eea56f4c581052b23

memory/2392-392-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-393-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-394-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-395-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-396-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-397-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-398-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-400-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-399-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-402-0x0000000000900000-0x0000000001900000-memory.dmp

memory/2392-401-0x0000000000900000-0x0000000001900000-memory.dmp