Malware Analysis Report

2024-12-07 22:44

Sample ID 240719-ss7mls1dqg
Target 5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe
SHA256 5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc
Tags
remcos riches evasion execution persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc

Threat Level: Known bad

The file 5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe was found to be: Known bad.

Malicious Activity Summary

remcos riches evasion execution persistence rat

Remcos

Command and Scripting Interpreter: PowerShell

Disables Task Manager via registry modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 15:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 15:24

Reported

2024-07-19 15:27

Platform

win7-20240704-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe"

Signatures

Remcos

rat remcos

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\vclr\\JPXOTX~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\vclr\\EQAHET~1.TXT" C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2088 set thread context of 2080 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe C:\Windows\SysWOW64\WScript.exe
PID 2716 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1240 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1240 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1240 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1240 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2516 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2516 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2516 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1240 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt
PID 1240 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt
PID 1240 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt
PID 1240 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt
PID 2088 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 1436 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1436 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1436 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1436 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1436 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1436 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1436 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2088 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1568 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1568 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1568 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 2896 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe

"C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rcmr.vbe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c jpxo.txt eqahetgik.txt

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt

jpxo.txt eqahetgik.txt

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "C:\Users\Admin\AppData\Roaming\vclr\JPXOTX~1.EXE C:\Users\Admin\AppData\Roaming\vclr\EQAHET~1.TXT"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "C:\Users\Admin\AppData\Roaming\vclr\JPXOTX~1.EXE C:\Users\Admin\AppData\Roaming\vclr\EQAHET~1.TXT"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs

Network

Country Destination Domain Proto
US 75.127.7.188:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rcmr.vbe

MD5 fc3e3014d4aa82973e80b6f342a9ba2b
SHA1 9d5a39ef43d8da3592b4aafbc33a0390486630c0
SHA256 3f9944b6e9f6ef701a3597ae329b547797e33c25fcc14656ca08a2f8d979f8bd
SHA512 495cae7e2a300c3aca2725b08d5cf87de15e95310c895694fd56bcce5a0e4c53afcf83f5ed8ff6d9ffa363cfd6a598c3e6e47cc240bc7f188311d7e5c6378da4

\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt

MD5 31db1d81c80c66640b773c535cdfa762
SHA1 9cfffe3e21ab746e18db1447bf339d1af2118570
SHA256 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211
SHA512 c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40

C:\Users\Admin\AppData\Local\Temp\RarSFX0\slnpcc.bmp

MD5 a186df88056e6531f57935a840fb02da
SHA1 77830b26b5335027c7b37c0612fb8a594e25fa50
SHA256 f743434830f555bdd171505d74ea4e54dd3581597fb14a36685bc9f64c86c1b6
SHA512 2a365786aabc5e954d73571df98926644636961ea10c5a9091385db0c50547aadb7b11ae9ce32da71fb6bc9cadb43435bbfcf0b40c98721d3ba487f560482102

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bbcrxbrf.bmp

MD5 fccf20921245599a5ef6136a6d39bd05
SHA1 08bacf979e0ece9787419a90bfeb97c4f75c1535
SHA256 c2c47dd690cf25767edef1235b62991e45bc37ebafaa1c96589b4da1f22d7f72
SHA512 f0cc8c3e4ae06ef465c9f8f1bc6b142eedf7a94552a1315ce9d3f25d89bb5a6c79a21184f77fc5e7eb8aca9966fef4fa7f6b84154a4655f3c09a2c06b54b9248

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bgqhso.3gp

MD5 2eda4d9662f2ec6a9f18ac6e41824602
SHA1 2c0794038bd4e555e5049fc723c1ac1f04c6815c
SHA256 67673c64574e24c3f2320c11cd40791312261e3a77372a8a0075a72b892748f1
SHA512 1611c62500e2f8ed70fe0e3ebeeeb1c9d26597a20025eed572d74c6d8301407212a10ca1fd96c04e34b4104d677ceb55a65f10db49b7ec58abc3fdbd2c1b2406

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NGMZ99RRGA3A2Y575M1V.temp

MD5 8bb7eed253fb2e253ba8d06ba124bf58
SHA1 29e3f25024e0138e3b493d44011d6b43aa865eee
SHA256 c58af28265b210fb852d5eadd9d2833a0fa3eca9b2d2bccd06f77f8cc0f3272d
SHA512 fcbbac5763f478e7f1d8b41956b0f9da5a218a0285eeb0aa31f9b66425d05e316c068fc14919e7736b642872d15967baab1384a86f29830335be7da424909a71

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bdvfx.msc

MD5 2978de921acb45fbbfce3f86514345fb
SHA1 8a9bb11fd381383b68cfec28bb04c4d6d35a7b38
SHA256 5f763a4461a0518084e61c9b753260482b65cf0d53ec23f27b501ff47733e640
SHA512 3e9913ae9c59e83edf04df0df27706ccb083d344440ea769ecfac0ea87b0cf4f0c48ef1e71511657d3dcfb7125784bed4ee89dd418abcfd117a74a8a1e5a89c8

C:\Users\Admin\AppData\Local\Temp\RarSFX0\djqdgwbjup.xls

MD5 2f6298e7823317e69c9e5b0b3d49c46a
SHA1 ef9a815bc27a83647e0d49bd65d8954b26468fd8
SHA256 84e7175e55ca315c2b0422303bd51d19c0f2bc3675383766fdfec0981f39d634
SHA512 ad6e3e2b7abaf6218900c36962b97830a21b7c60eda1a676d75197e02b587ece23afa880c3877a6fefcd180e822cb1eff9d0f880d810f4c3101579f08325d0f9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ccqoqeu.pdf

MD5 fcc8d1cd6673dcb6c04d6ccfb7388698
SHA1 b764e503a349bd325a67e0bf9e96f4514f12584a
SHA256 f95d0705aa91a09dd4eb1e0746682d62473ecbd0e59bd4863280aca15feaeae2
SHA512 b48aa2c8eb5e0e4af945ca93f4dbc286c7daec05eafef47f76fd9df4b7f7f9ac82d434325a235228dc719aedb50a37d15948aa2d480da67e561a9cf0430e3864

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dtsm.jpg

MD5 cbb75051b9b586241998b1fdcd67d78b
SHA1 00ba34d5001b982e286f8b387bc0dbf110c99033
SHA256 07c8c38235d62e1bf34574208c42c4f44e4f2e94adc5c682940522d50da6f86c
SHA512 d62004e23b1aec729b2e0a7fb7bc9a6ea22c73f18403a7b41595200dd677e4ba04246e669c3c24752e1d961a0d23347651e29789140c653eeb7a73129014fa9b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bgtilmk.docx

MD5 8c1cdc3b43f08410963d8060fd32c22c
SHA1 6e1d31315d1af1012b8ab59f2975203fc52a66a2
SHA256 e916bc2cf4d2df15201088d3af8ea17099538e9862c9e9b6c9f34c1c4c900f5e
SHA512 a6699139ecf017b2eebfe6d83133c44d57522fd80a2941185ffa81dca15a3f841f0e900cd1d4b83c543b604476d90cbb1e2de2dbbe4542f547ecf045b2a6738f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hhtvup.msc

MD5 333d55f83ee203d14aac66abb25d6a84
SHA1 64f0219f7e44c9f0b5056cc2e29f4328ce244f15
SHA256 701c7ea5acec3c1ef11f3f20d946f4dff55127b8bfc8ba3e15cd891a4791567a
SHA512 21737cdee057b20067e422c9e2cc6fd1a705c1fea96b0c4dea458520fe659466d4e07726815f4accc13782d58d6fe608c0735819da922b6292763f31d02bf2f9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hedtdprfhh.msc

MD5 4f537180aa01b0cb725e6fdba256d5c8
SHA1 7ae53b226891d886871de120bf6c7d2df4e6cd89
SHA256 4d5f0adb69a3ac9d0633cac6e0499aa4f24b0500c1484d6e336c4ee896e1f1fa
SHA512 87e47fed8f25cdf26a07092719b47eed91526e6c9e52ea4bd7ed176f95eb9d9c587b8b4c7bd425ee12a2d4a887eae086e7c060b7e3fbf7e1363ecc026d80d18b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hdvgdk.mp3

MD5 6760ddd9c1aa51d025f82e706399bb68
SHA1 721d02ae9b01c0dc48b629538b4e1f8a216d138d
SHA256 367296f217bb9c61e966abad10239f91668fd1f196c05d1021cf93277c9720a2
SHA512 aa4b4e4bb1399bd8c3cb1aa07e7c3594366ff33f01160957730c0503f2b0bdc21d721d7c7b914fb50b59323c11d489989bff422aa9697957793cb05839fe2e58

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hofjjug.xls

MD5 49ef42ad7b5bc93f53652abeb9b2e4c2
SHA1 f45022f784aa7abdf47cff530fa6463ddb2e0b80
SHA256 7781d547d36d0b457d900683cfa892d84c80202d68b3ea3d6b4577d5b50bbce4
SHA512 6d78341400ac1a0ac191906210bea8b41b8f5220cbcf974813ab1ea74b7595d80fd570cbe6c96f87ae3906f455ed194d4ef727188b3eaca8ccdb3430c87beff6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gbnljluc.dat

MD5 559e9f534ae8c276e9922df8c07356d0
SHA1 c592b4b1d23f72bda26b3afcc88c403a7f06d30c
SHA256 20f44d57eddf9edce5265413c5f52ade82e546d183e26c1fd59ea286a01905cf
SHA512 4b40976c681d1d5e081773d21d6cf56b8ce568975256a419dcd21a7c6f76f97d3d8292b1be564843ddad86ba93611b609813fc805bc21d000837cf4de508aa09

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fetdsri.ppt

MD5 0893fb535d123ea5960213661ac1206b
SHA1 1beaec720f2a4aa553dc9a6d0d63df7c96b95e4a
SHA256 bb53a01afb08b1ebba7bbd5a9a9053f0726d48bc7b6eb6a1bf783744356e2c20
SHA512 bf94e3a1690937a9045c1d0659459e656a0c83b0d99d0e46cf128d588eba7539902e8275873e24f863f0d2f4a839a7b077bf75cd2393343f770360365be0ae18

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jgkcbdbfx.xl

MD5 cf6b7b70b26ecc6000c9ea24d1531d1b
SHA1 671eb7d5a2d55ccfab971121a617d5ba35c52bd2
SHA256 0ebfcef6095c95cd23315257fedb0dd2fd371b9e30d200a3ba7cf42d23529e6c
SHA512 7d7cf8e6cd93910c77fc7bd6339ac60d31627f9c195230e17f9bb80160a32a2027e2f85c43198fce1ff97b66fcc8adb338d511d8de225eb83e3ecce2906412d3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hufnen.ppt

MD5 563b1509730cfd682c5b9b6f0f6f7ae3
SHA1 aa2d4dbb302cf5699ac57f493dbfb5383397d337
SHA256 711f0b396b2e14a04eff353baf540f89d6c12196887a77a33801e144d2c296d3
SHA512 c34fffd2dd9650f8d19ab6e295bf4bb75c09b887903914d6328198e925c3d77de6a4e163b6676e412cd7184d13be6bbf0f37f93b46a96c989e919e8069fdc7dc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\kmkgx.mp2

MD5 c4a0fb26ad2871431e221c03246ba0fd
SHA1 ca9e310f0a1a79465ccd7c4660852f98ed833c0c
SHA256 f9a9fe50d23b1eafaf054e74e8f785c52c6b3222dd756405f14d9147a03ac9c7
SHA512 c46c6247366b2de20079f8a7266aa53342c3c2b3824e611b097356574ea61e3677de0be4a1fc8ec5d379df539abd519da7608191647f27f2d26cb8035c41344e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lkkpii.dat

MD5 639118e7b20d603b4689fe4521834344
SHA1 11b16e3ddb1694496e02dda267c6b35607286d69
SHA256 15ec69b85891e45fa20537ecff26f3804ca57d2218fc2e9eba06c1a27c45dff4
SHA512 a3a566b71e6003e67ad81310450e0de28d32e49ef36211e2f5b02a173c2a065719cc28464ed6e5e7fe47c2db730ce73ad0b048e235dc39982ce1cb2df244ef0c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lmcrn.ppt

MD5 18b4e259881f2bf0256d10efee53fa7c
SHA1 da43675a9367751ea3caf7703503418392c43064
SHA256 c279790371f5cfc4a53545e51279aa0a3537284f7dc643bd6da20509b3e8110f
SHA512 b5424b8731b9eeefd4dd5f7eda14e1d2b55495439fb8dbdc679626bb96496fbdc87184325a9d7637c08370694509e2743284185b243237247fb68bac8501d321

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mpplcxgur.bin

MD5 c21e42e247355aef3b2e44d9b19078cc
SHA1 f336a8894c6b814956501af015b6264ff66c060d
SHA256 fa309ce9f4d1a2ebfe7a29048c45359780440126853a40e086706105c4f139cc
SHA512 74a9845734b364075549a1ef9b42039c23bc9dd5324df6eb1ddc45a6ec4102bd611b737af283421bb61023921c54b5ee3660af88b8348246b10814538dc9a017

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nbrgvkjl.ddl

MD5 3b5ad23ea9ef85bf03191c08d0362ffe
SHA1 3f5f9ce3e99c107fda49ec6e10221f7bdaacea30
SHA256 fd5011e6560f01bd34a3116f6c73b4a7c09442b9926e47a53d64486033b871ae
SHA512 091aa5695edcd9d3e4edf9fc21bce017ab4bb89cde02eaf00ab6353baa4131f1b97d2114c6d6b6fbd964a66f2fe76f975eeb21c7ab8e4058048ace0fd5c19397

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nidm.ppt

MD5 5b3e8df25dc5ca6362492c39c09f8087
SHA1 fba19c00dfb3b90525dfb555459ba8e57a742ab3
SHA256 62358414507e3d5a59392d1e80f3753d961fcdb775c5889982e6f20905ec6c40
SHA512 bc519e0d58af8145773ec5516e72f49535075003c92b0bb3ff3ad8edfcb547a456fc6b4d3e1da88cd961e886d66cde04ff76afd56e1013b17b720b7ab8dde6ee

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rtpg.dat

MD5 1fc9423bec864971c5afab2214f6d44a
SHA1 236f5dedd821cf2e01bd18d735521a1d3f9cf0a2
SHA256 e9057af619ba77bd78d6227583a43026c921b4ca1e49685c95c239027b4ae519
SHA512 50d2329d2b593ea1830d8eec5b84a8ca662b0f37d1b2e738a8d1aeb26fa28d1cd6f46f818564c1433983039c4f8db0bae6916ccad422db0e4368bc043b2823aa

C:\Users\Admin\AppData\Local\Temp\RarSFX0\siacmameh.ppt

MD5 5d142c120c7db8ab2a7b92f50127f15d
SHA1 9506fb229338a80fbdeb5f3d20b235e28ad218d4
SHA256 a510c262bc1b02499698faa0600c2ec96f256a224c7ac49aa107db2253cd5f64
SHA512 1f6eeb23b6391eb41e97d736a193479e7c443042e00f533a95d5645b4e28971c779cdd966c0d3004f1e84c891ac93b46ecd08970f1e450180764c669f7d91078

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pbekquddo.msc

MD5 e39aaf523f448b303502c768d070e103
SHA1 c5a807a4f175c2c6319e773c4834076e67220a87
SHA256 f328431c16befb5b3471df95c03e60624fd21a9bff78469bf6af2c23f034b234
SHA512 6ca2d5962b171053a7ce444b548ec9a88832334c17f0b09ddd8c7320369f82ac60ebd5489e498754359249c302e165a321292a65894d575022f29f139a1847b4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\umruvetcoa.xls

MD5 4237b03ddcb3cd0141e7b092a2141dfc
SHA1 c78f69fed690749800401457195b1da2cfd183fb
SHA256 bee912427d32d9bf0a95a7777af1905c132c4bb86f107415bb4342ec44edbc39
SHA512 eb7368186c3587ac84416352aa935edf07253b41ca4fed116b7a85e96599d0ee8250323bd695e72b35a709265f5b0c024eac30293a47cb225c44941d43404826

C:\Users\Admin\AppData\Local\Temp\RarSFX0\slnpcc.bmp

MD5 b90868adcc7c4f2da3259afc293e10b8
SHA1 f12b14b48baa0a77857b4b4d35bdd9a008ba3ce0
SHA256 1dbb8e9dbdc842bcef3687d063ab784134a5a05ffb2b670d8fa386fb5c681e37
SHA512 dbfadf3f7f781139b7a85975b990a7d2bd77991a6abc84728cec045f30acf637aaf8eb167bbfd5948172e93ae03066d8995f6ce7340074e082cb450378387c1b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xevwkvr.dll

MD5 b5fe59a5eb96e56de8cca03247c939c4
SHA1 3dd3d489a200f844d82442cb75f009bc53a7836b
SHA256 580839c22fee79fb18d6fd8b51bc9b516c444f28e605c99ec306f2da00c1ca43
SHA512 5a15741308be6734d3d5dec8149c1c4662bff56919c79e4591e7d31cefbb80914d3286285e7458574522ac56c75c6395481e69f54eb8e2efe219ae79cb698629

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uxdeba.msc

MD5 55918de77dec9d8c7f1839fd6507328e
SHA1 42fff1063075bd8834196085e1daa1be7dd521e1
SHA256 36bc78f5bcce96227fb4d2c9fa71d1519ff49b7a353acd6d534c85715281e0bb
SHA512 5de72805473d924113b7f5ae78a18224d712cec08076d692ce6e441dc7c160714bb5ca332449686db81abf28f192833b6d1dfe7dbed3908c752a2058d6fa7ebd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uslwc.bin

MD5 680b62a3db2da9ef54fa9e9c8d75ba8e
SHA1 8f8b8672c8c88a248968a38db78977ee95678486
SHA256 b8528f6927830b88fdf7d1552ce107f3aa94e76c5b374a2eabcd00237769780d
SHA512 e7793b3ed1b367909ba75372a2c325659d5acdd80e39d2789ae513d76f8584515295ba1bc330c8062d700a4c23dfde7ac428e0d7647b31ebef30dc3945d5edd3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xuak.bin

MD5 f41715b43d8df9a61f49ed5a1b0ec84c
SHA1 e7540ee23febbf09c51b26df00a94397e131f6c7
SHA256 d1bc42aba1a9ca6263dfbcbd8fc6dbcf9a94c7c7e8865e1943e7e4b312d9d0b7
SHA512 6cbc93a6d89beb9b2f77cae3da44a50c5de809449d1017b20c6a447882d7171a34b55887c0cb7d44a62cce912380a498c480d9f7bb395d7cd2665df847d7e94e

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/2080-218-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-234-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2080-238-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-237-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-242-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-235-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-241-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-254-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-255-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-256-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-258-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-259-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-260-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-263-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-262-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-265-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-264-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-267-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-266-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-269-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

memory/2080-268-0x0000000000EC0000-0x0000000001EC0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 15:24

Reported

2024-07-19 15:26

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe"

Signatures

Remcos

rat remcos

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\vclr\\JPXOTX~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\vclr\\EQAHET~1.TXT" C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4124 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4080 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe C:\Windows\SysWOW64\WScript.exe
PID 4080 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe C:\Windows\SysWOW64\WScript.exe
PID 4080 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe C:\Windows\SysWOW64\WScript.exe
PID 956 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1416 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1416 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1684 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt
PID 1684 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt
PID 1684 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt
PID 4124 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4172 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4172 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4172 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 4184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 4184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 4184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 668 wrote to memory of 528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 668 wrote to memory of 528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 668 wrote to memory of 528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 836 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 836 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 836 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4124 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4124 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4596 wrote to memory of 4436 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4596 wrote to memory of 4436 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4596 wrote to memory of 4436 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4124 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4124 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3528 wrote to memory of 1400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 1400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 1400 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe

"C:\Users\Admin\AppData\Local\Temp\5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rcmr.vbe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c jpxo.txt eqahetgik.txt

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt

jpxo.txt eqahetgik.txt

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "C:\Users\Admin\AppData\Roaming\vclr\JPXOTX~1.EXE C:\Users\Admin\AppData\Roaming\vclr\EQAHET~1.TXT"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 75.127.7.188:2404 tcp
US 8.8.8.8:53 188.7.127.75.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 75.127.7.188:2404 tcp
US 75.127.7.188:2404 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rcmr.vbe

MD5 fc3e3014d4aa82973e80b6f342a9ba2b
SHA1 9d5a39ef43d8da3592b4aafbc33a0390486630c0
SHA256 3f9944b6e9f6ef701a3597ae329b547797e33c25fcc14656ca08a2f8d979f8bd
SHA512 495cae7e2a300c3aca2725b08d5cf87de15e95310c895694fd56bcce5a0e4c53afcf83f5ed8ff6d9ffa363cfd6a598c3e6e47cc240bc7f188311d7e5c6378da4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jpxo.txt

MD5 31db1d81c80c66640b773c535cdfa762
SHA1 9cfffe3e21ab746e18db1447bf339d1af2118570
SHA256 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211
SHA512 c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40

C:\Users\Admin\AppData\Local\Temp\RarSFX0\slnpcc.bmp

MD5 a186df88056e6531f57935a840fb02da
SHA1 77830b26b5335027c7b37c0612fb8a594e25fa50
SHA256 f743434830f555bdd171505d74ea4e54dd3581597fb14a36685bc9f64c86c1b6
SHA512 2a365786aabc5e954d73571df98926644636961ea10c5a9091385db0c50547aadb7b11ae9ce32da71fb6bc9cadb43435bbfcf0b40c98721d3ba487f560482102

C:\Users\Admin\AppData\Local\Temp\RarSFX0\djqdgwbjup.xls

MD5 2f6298e7823317e69c9e5b0b3d49c46a
SHA1 ef9a815bc27a83647e0d49bd65d8954b26468fd8
SHA256 84e7175e55ca315c2b0422303bd51d19c0f2bc3675383766fdfec0981f39d634
SHA512 ad6e3e2b7abaf6218900c36962b97830a21b7c60eda1a676d75197e02b587ece23afa880c3877a6fefcd180e822cb1eff9d0f880d810f4c3101579f08325d0f9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ccqoqeu.pdf

MD5 fcc8d1cd6673dcb6c04d6ccfb7388698
SHA1 b764e503a349bd325a67e0bf9e96f4514f12584a
SHA256 f95d0705aa91a09dd4eb1e0746682d62473ecbd0e59bd4863280aca15feaeae2
SHA512 b48aa2c8eb5e0e4af945ca93f4dbc286c7daec05eafef47f76fd9df4b7f7f9ac82d434325a235228dc719aedb50a37d15948aa2d480da67e561a9cf0430e3864

memory/668-95-0x0000000005CD0000-0x00000000062F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dtsm.jpg

MD5 cbb75051b9b586241998b1fdcd67d78b
SHA1 00ba34d5001b982e286f8b387bc0dbf110c99033
SHA256 07c8c38235d62e1bf34574208c42c4f44e4f2e94adc5c682940522d50da6f86c
SHA512 d62004e23b1aec729b2e0a7fb7bc9a6ea22c73f18403a7b41595200dd677e4ba04246e669c3c24752e1d961a0d23347651e29789140c653eeb7a73129014fa9b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bgtilmk.docx

MD5 8c1cdc3b43f08410963d8060fd32c22c
SHA1 6e1d31315d1af1012b8ab59f2975203fc52a66a2
SHA256 e916bc2cf4d2df15201088d3af8ea17099538e9862c9e9b6c9f34c1c4c900f5e
SHA512 a6699139ecf017b2eebfe6d83133c44d57522fd80a2941185ffa81dca15a3f841f0e900cd1d4b83c543b604476d90cbb1e2de2dbbe4542f547ecf045b2a6738f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bgqhso.3gp

MD5 2eda4d9662f2ec6a9f18ac6e41824602
SHA1 2c0794038bd4e555e5049fc723c1ac1f04c6815c
SHA256 67673c64574e24c3f2320c11cd40791312261e3a77372a8a0075a72b892748f1
SHA512 1611c62500e2f8ed70fe0e3ebeeeb1c9d26597a20025eed572d74c6d8301407212a10ca1fd96c04e34b4104d677ceb55a65f10db49b7ec58abc3fdbd2c1b2406

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bdvfx.msc

MD5 2978de921acb45fbbfce3f86514345fb
SHA1 8a9bb11fd381383b68cfec28bb04c4d6d35a7b38
SHA256 5f763a4461a0518084e61c9b753260482b65cf0d53ec23f27b501ff47733e640
SHA512 3e9913ae9c59e83edf04df0df27706ccb083d344440ea769ecfac0ea87b0cf4f0c48ef1e71511657d3dcfb7125784bed4ee89dd418abcfd117a74a8a1e5a89c8

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bbcrxbrf.bmp

MD5 fccf20921245599a5ef6136a6d39bd05
SHA1 08bacf979e0ece9787419a90bfeb97c4f75c1535
SHA256 c2c47dd690cf25767edef1235b62991e45bc37ebafaa1c96589b4da1f22d7f72
SHA512 f0cc8c3e4ae06ef465c9f8f1bc6b142eedf7a94552a1315ce9d3f25d89bb5a6c79a21184f77fc5e7eb8aca9966fef4fa7f6b84154a4655f3c09a2c06b54b9248

memory/3784-76-0x0000000000DA0000-0x0000000000DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hedtdprfhh.msc

MD5 4f537180aa01b0cb725e6fdba256d5c8
SHA1 7ae53b226891d886871de120bf6c7d2df4e6cd89
SHA256 4d5f0adb69a3ac9d0633cac6e0499aa4f24b0500c1484d6e336c4ee896e1f1fa
SHA512 87e47fed8f25cdf26a07092719b47eed91526e6c9e52ea4bd7ed176f95eb9d9c587b8b4c7bd425ee12a2d4a887eae086e7c060b7e3fbf7e1363ecc026d80d18b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xuak.bin

MD5 f41715b43d8df9a61f49ed5a1b0ec84c
SHA1 e7540ee23febbf09c51b26df00a94397e131f6c7
SHA256 d1bc42aba1a9ca6263dfbcbd8fc6dbcf9a94c7c7e8865e1943e7e4b312d9d0b7
SHA512 6cbc93a6d89beb9b2f77cae3da44a50c5de809449d1017b20c6a447882d7171a34b55887c0cb7d44a62cce912380a498c480d9f7bb395d7cd2665df847d7e94e

memory/4092-184-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

memory/4092-186-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/4092-185-0x0000000004E60000-0x0000000004EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xevwkvr.dll

MD5 b5fe59a5eb96e56de8cca03247c939c4
SHA1 3dd3d489a200f844d82442cb75f009bc53a7836b
SHA256 580839c22fee79fb18d6fd8b51bc9b516c444f28e605c99ec306f2da00c1ca43
SHA512 5a15741308be6734d3d5dec8149c1c4662bff56919c79e4591e7d31cefbb80914d3286285e7458574522ac56c75c6395481e69f54eb8e2efe219ae79cb698629

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uxdeba.msc

MD5 55918de77dec9d8c7f1839fd6507328e
SHA1 42fff1063075bd8834196085e1daa1be7dd521e1
SHA256 36bc78f5bcce96227fb4d2c9fa71d1519ff49b7a353acd6d534c85715281e0bb
SHA512 5de72805473d924113b7f5ae78a18224d712cec08076d692ce6e441dc7c160714bb5ca332449686db81abf28f192833b6d1dfe7dbed3908c752a2058d6fa7ebd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uslwc.bin

MD5 680b62a3db2da9ef54fa9e9c8d75ba8e
SHA1 8f8b8672c8c88a248968a38db78977ee95678486
SHA256 b8528f6927830b88fdf7d1552ce107f3aa94e76c5b374a2eabcd00237769780d
SHA512 e7793b3ed1b367909ba75372a2c325659d5acdd80e39d2789ae513d76f8584515295ba1bc330c8062d700a4c23dfde7ac428e0d7647b31ebef30dc3945d5edd3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\umruvetcoa.xls

MD5 4237b03ddcb3cd0141e7b092a2141dfc
SHA1 c78f69fed690749800401457195b1da2cfd183fb
SHA256 bee912427d32d9bf0a95a7777af1905c132c4bb86f107415bb4342ec44edbc39
SHA512 eb7368186c3587ac84416352aa935edf07253b41ca4fed116b7a85e96599d0ee8250323bd695e72b35a709265f5b0c024eac30293a47cb225c44941d43404826

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1go0tmk.pzv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\RarSFX0\slnpcc.bmp

MD5 b90868adcc7c4f2da3259afc293e10b8
SHA1 f12b14b48baa0a77857b4b4d35bdd9a008ba3ce0
SHA256 1dbb8e9dbdc842bcef3687d063ab784134a5a05ffb2b670d8fa386fb5c681e37
SHA512 dbfadf3f7f781139b7a85975b990a7d2bd77991a6abc84728cec045f30acf637aaf8eb167bbfd5948172e93ae03066d8995f6ce7340074e082cb450378387c1b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\siacmameh.ppt

MD5 5d142c120c7db8ab2a7b92f50127f15d
SHA1 9506fb229338a80fbdeb5f3d20b235e28ad218d4
SHA256 a510c262bc1b02499698faa0600c2ec96f256a224c7ac49aa107db2253cd5f64
SHA512 1f6eeb23b6391eb41e97d736a193479e7c443042e00f533a95d5645b4e28971c779cdd966c0d3004f1e84c891ac93b46ecd08970f1e450180764c669f7d91078

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rtpg.dat

MD5 1fc9423bec864971c5afab2214f6d44a
SHA1 236f5dedd821cf2e01bd18d735521a1d3f9cf0a2
SHA256 e9057af619ba77bd78d6227583a43026c921b4ca1e49685c95c239027b4ae519
SHA512 50d2329d2b593ea1830d8eec5b84a8ca662b0f37d1b2e738a8d1aeb26fa28d1cd6f46f818564c1433983039c4f8db0bae6916ccad422db0e4368bc043b2823aa

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pbekquddo.msc

MD5 e39aaf523f448b303502c768d070e103
SHA1 c5a807a4f175c2c6319e773c4834076e67220a87
SHA256 f328431c16befb5b3471df95c03e60624fd21a9bff78469bf6af2c23f034b234
SHA512 6ca2d5962b171053a7ce444b548ec9a88832334c17f0b09ddd8c7320369f82ac60ebd5489e498754359249c302e165a321292a65894d575022f29f139a1847b4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nidm.ppt

MD5 5b3e8df25dc5ca6362492c39c09f8087
SHA1 fba19c00dfb3b90525dfb555459ba8e57a742ab3
SHA256 62358414507e3d5a59392d1e80f3753d961fcdb775c5889982e6f20905ec6c40
SHA512 bc519e0d58af8145773ec5516e72f49535075003c92b0bb3ff3ad8edfcb547a456fc6b4d3e1da88cd961e886d66cde04ff76afd56e1013b17b720b7ab8dde6ee

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nbrgvkjl.ddl

MD5 3b5ad23ea9ef85bf03191c08d0362ffe
SHA1 3f5f9ce3e99c107fda49ec6e10221f7bdaacea30
SHA256 fd5011e6560f01bd34a3116f6c73b4a7c09442b9926e47a53d64486033b871ae
SHA512 091aa5695edcd9d3e4edf9fc21bce017ab4bb89cde02eaf00ab6353baa4131f1b97d2114c6d6b6fbd964a66f2fe76f975eeb21c7ab8e4058048ace0fd5c19397

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mpplcxgur.bin

MD5 c21e42e247355aef3b2e44d9b19078cc
SHA1 f336a8894c6b814956501af015b6264ff66c060d
SHA256 fa309ce9f4d1a2ebfe7a29048c45359780440126853a40e086706105c4f139cc
SHA512 74a9845734b364075549a1ef9b42039c23bc9dd5324df6eb1ddc45a6ec4102bd611b737af283421bb61023921c54b5ee3660af88b8348246b10814538dc9a017

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lmcrn.ppt

MD5 18b4e259881f2bf0256d10efee53fa7c
SHA1 da43675a9367751ea3caf7703503418392c43064
SHA256 c279790371f5cfc4a53545e51279aa0a3537284f7dc643bd6da20509b3e8110f
SHA512 b5424b8731b9eeefd4dd5f7eda14e1d2b55495439fb8dbdc679626bb96496fbdc87184325a9d7637c08370694509e2743284185b243237247fb68bac8501d321

C:\Users\Admin\AppData\Local\Temp\RarSFX0\kmkgx.mp2

MD5 c4a0fb26ad2871431e221c03246ba0fd
SHA1 ca9e310f0a1a79465ccd7c4660852f98ed833c0c
SHA256 f9a9fe50d23b1eafaf054e74e8f785c52c6b3222dd756405f14d9147a03ac9c7
SHA512 c46c6247366b2de20079f8a7266aa53342c3c2b3824e611b097356574ea61e3677de0be4a1fc8ec5d379df539abd519da7608191647f27f2d26cb8035c41344e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jgkcbdbfx.xl

MD5 cf6b7b70b26ecc6000c9ea24d1531d1b
SHA1 671eb7d5a2d55ccfab971121a617d5ba35c52bd2
SHA256 0ebfcef6095c95cd23315257fedb0dd2fd371b9e30d200a3ba7cf42d23529e6c
SHA512 7d7cf8e6cd93910c77fc7bd6339ac60d31627f9c195230e17f9bb80160a32a2027e2f85c43198fce1ff97b66fcc8adb338d511d8de225eb83e3ecce2906412d3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hufnen.ppt

MD5 563b1509730cfd682c5b9b6f0f6f7ae3
SHA1 aa2d4dbb302cf5699ac57f493dbfb5383397d337
SHA256 711f0b396b2e14a04eff353baf540f89d6c12196887a77a33801e144d2c296d3
SHA512 c34fffd2dd9650f8d19ab6e295bf4bb75c09b887903914d6328198e925c3d77de6a4e163b6676e412cd7184d13be6bbf0f37f93b46a96c989e919e8069fdc7dc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lkkpii.dat

MD5 639118e7b20d603b4689fe4521834344
SHA1 11b16e3ddb1694496e02dda267c6b35607286d69
SHA256 15ec69b85891e45fa20537ecff26f3804ca57d2218fc2e9eba06c1a27c45dff4
SHA512 a3a566b71e6003e67ad81310450e0de28d32e49ef36211e2f5b02a173c2a065719cc28464ed6e5e7fe47c2db730ce73ad0b048e235dc39982ce1cb2df244ef0c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hofjjug.xls

MD5 49ef42ad7b5bc93f53652abeb9b2e4c2
SHA1 f45022f784aa7abdf47cff530fa6463ddb2e0b80
SHA256 7781d547d36d0b457d900683cfa892d84c80202d68b3ea3d6b4577d5b50bbce4
SHA512 6d78341400ac1a0ac191906210bea8b41b8f5220cbcf974813ab1ea74b7595d80fd570cbe6c96f87ae3906f455ed194d4ef727188b3eaca8ccdb3430c87beff6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hhtvup.msc

MD5 333d55f83ee203d14aac66abb25d6a84
SHA1 64f0219f7e44c9f0b5056cc2e29f4328ce244f15
SHA256 701c7ea5acec3c1ef11f3f20d946f4dff55127b8bfc8ba3e15cd891a4791567a
SHA512 21737cdee057b20067e422c9e2cc6fd1a705c1fea96b0c4dea458520fe659466d4e07726815f4accc13782d58d6fe608c0735819da922b6292763f31d02bf2f9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fetdsri.ppt

MD5 0893fb535d123ea5960213661ac1206b
SHA1 1beaec720f2a4aa553dc9a6d0d63df7c96b95e4a
SHA256 bb53a01afb08b1ebba7bbd5a9a9053f0726d48bc7b6eb6a1bf783744356e2c20
SHA512 bf94e3a1690937a9045c1d0659459e656a0c83b0d99d0e46cf128d588eba7539902e8275873e24f863f0d2f4a839a7b077bf75cd2393343f770360365be0ae18

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hdvgdk.mp3

MD5 6760ddd9c1aa51d025f82e706399bb68
SHA1 721d02ae9b01c0dc48b629538b4e1f8a216d138d
SHA256 367296f217bb9c61e966abad10239f91668fd1f196c05d1021cf93277c9720a2
SHA512 aa4b4e4bb1399bd8c3cb1aa07e7c3594366ff33f01160957730c0503f2b0bdc21d721d7c7b914fb50b59323c11d489989bff422aa9697957793cb05839fe2e58

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gbnljluc.dat

MD5 559e9f534ae8c276e9922df8c07356d0
SHA1 c592b4b1d23f72bda26b3afcc88c403a7f06d30c
SHA256 20f44d57eddf9edce5265413c5f52ade82e546d183e26c1fd59ea286a01905cf
SHA512 4b40976c681d1d5e081773d21d6cf56b8ce568975256a419dcd21a7c6f76f97d3d8292b1be564843ddad86ba93611b609813fc805bc21d000837cf4de508aa09

memory/4092-214-0x00000000055D0000-0x0000000005924000-memory.dmp

memory/4092-246-0x0000000006020000-0x000000000606C000-memory.dmp

memory/4092-245-0x0000000005B60000-0x0000000005B7E000-memory.dmp

memory/4092-253-0x000000006F420000-0x000000006F46C000-memory.dmp

memory/4092-252-0x0000000006D30000-0x0000000006D62000-memory.dmp

memory/4092-263-0x0000000006140000-0x000000000615E000-memory.dmp

memory/4092-264-0x0000000006D70000-0x0000000006E13000-memory.dmp

memory/4092-283-0x00000000074D0000-0x0000000007B4A000-memory.dmp

memory/4092-284-0x0000000006E90000-0x0000000006EAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/2524-285-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-296-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-301-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-300-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-298-0x0000000000760000-0x0000000001760000-memory.dmp

memory/4092-311-0x0000000006F00000-0x0000000006F0A000-memory.dmp

memory/4092-317-0x0000000007110000-0x00000000071A6000-memory.dmp

memory/4092-322-0x0000000007090000-0x00000000070A1000-memory.dmp

memory/2524-325-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-326-0x0000000000760000-0x0000000001760000-memory.dmp

memory/4092-327-0x00000000070C0000-0x00000000070CE000-memory.dmp

memory/2524-324-0x0000000000760000-0x0000000001760000-memory.dmp

memory/4184-329-0x000000006F420000-0x000000006F46C000-memory.dmp

memory/4092-328-0x00000000070D0000-0x00000000070E4000-memory.dmp

memory/528-339-0x000000006F420000-0x000000006F46C000-memory.dmp

memory/836-349-0x000000006F420000-0x000000006F46C000-memory.dmp

memory/4092-359-0x00000000071D0000-0x00000000071EA000-memory.dmp

memory/4092-360-0x00000000071B0000-0x00000000071B8000-memory.dmp

memory/2524-362-0x0000000000760000-0x0000000001760000-memory.dmp

memory/4436-363-0x000000006F420000-0x000000006F46C000-memory.dmp

memory/1400-373-0x000000006F420000-0x000000006F46C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 04b297f4dcbd32e7968add83e8a0bc99
SHA1 7252127658e9ab0178ef281bd768918a79ed7b23
SHA256 c616b9fe84166fb58eab63b5a1fc2759d748db54cb8e209ee08a1b43878f0fab
SHA512 f2bc2e0a6349dea8049ce42da0834996775ebe711f94f2d835a258c99569fc15ff2b3eada96b6ce044de8f30197b67304d23b880846db460fc33487295a4a2f7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 915cd962a173c613423aad1f70f25ad9
SHA1 b64d6b37634a4b00b02d4bc8f5e3d7fc95c80e84
SHA256 0065a0dc7c744941091cc97c89100f38683b97faa01a6e48714e0d66d1ea1571
SHA512 3a951bb0d3d3bcd21b02de4219c5c22afd854c0fde859f2af8480d02f5a24be45a0a8a2e39f05999ddbb7161abb9d282dd48440ff4f24083b60f8fa0b5257112

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4417904f6f1c7ecb5cb563d674425073
SHA1 453af5165116ef9746ab1482fe8f944874fa4b0e
SHA256 607dc953b7a9afb27e48618c05d2869a3e08a2014299b9a3ac8209b620a8a972
SHA512 33bd7f445df9e7094a7b9a72fc82282d7c8a28e3fd96b4a159ab1c3581de634eb6767f5fba4c43f8750c94aa9a06bc9da9f52d621fe15c53ff580f52ce04a91a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cafd1bf87e6d76e1296153af15503e32
SHA1 056b6ddda5faae8fcc4f69888bdf6ec3649bd963
SHA256 d38b4c105ae0544b3c2f1b786a5a79aa1f37d9d5dd5d54a176e30c42cf2b9d70
SHA512 bf9e8e3305ea9c2a84eca89695ef0aa28f51e22bbb12246dcc023b4f8670c705d8596293f5052bd8bd5a4f6303fe524f1e398a280deba4421db63ed632a9a07e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6154ca96011d7d99e18f2b57e22c1408
SHA1 5f1e7e1f2904144dd49af043e2d1a013767d1e65
SHA256 4b89440f69a6b151a4a58e683f087865a3865dbb0008c0a7ecdf677690cff508
SHA512 301b5c4fa7113b0ae9b9ad27943066daf6b591131afe5aa8e31d404afa66f2608c7e088e22554731ce29563c68aef430fc57149265b100f7046fac146cdbe692

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 44fc2cb960149c9d5e4129a7ce85ece9
SHA1 1e6f9d24efb9d5b2e59570fe9e573ed9536f0376
SHA256 f0b5ed5b39fbb3a874a666aebbd36252701dcb1b01b8987c27ecc35331c6452b
SHA512 e1c79b0d0bd72ffb1471f58d523849fee02d8767c59d65c3f2c30dc2524e8fc1700d277e989bf26ad850b359b2107d73bfeeef0cebe24afc1a9d8d775b2a87cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ecb77b34068e7b0a093df1098703cdad
SHA1 4619c321bdb2e9f2099192a80fe52458845c0186
SHA256 e410877372e3aff61e724abf7ab2f75545f9efb80183f3e3e6ca87bfd678c2de
SHA512 1edc8e87762c59ad799b51cc90964674e3f5ae6aae6e51eb842241cc0d6685f2e8585340845fa54ae003d90cce7507e131ad48df68774643d5b44ac3f09cdfb6

memory/2524-408-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-407-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-410-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-409-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-412-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-411-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-413-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-414-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-415-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-416-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-417-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-418-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-419-0x0000000000760000-0x0000000001760000-memory.dmp

memory/2524-420-0x0000000000760000-0x0000000001760000-memory.dmp