Malware Analysis Report

2025-04-13 20:56

Sample ID 250320-nfjb2a1xgy
Target Nonagon.exe
SHA256 f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
Tags
dcrat phemedrone umbral credential_access discovery infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70

Threat Level: Known bad

The file Nonagon.exe was found to be: Known bad.

Malicious Activity Summary

dcrat phemedrone umbral credential_access discovery infostealer persistence rat spyware stealer

Detect Umbral payload

Umbral family

Dcrat family

Process spawned unexpected child process

Phemedrone family

Umbral

Phemedrone

DcRat

DCRat payload

Downloads MZ/PE file

Uses browser remote debugging

Checks computer location settings

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Reads user/profile data of web browsers

Modifies WinLogon

Looks up external IP address via web service

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-20 11:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-20 11:20

Reported

2025-03-20 11:22

Platform

win10ltsc2021-20250314-en

Max time kernel

79s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phemedrone

stealer phemedrone

Phemedrone family

phemedrone

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Umbral family

umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A

Uses browser remote debugging

credential_access stealer
Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\Windows\debug\DebugTracker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\Program Files\WinRAR\RarExtPackage.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe" C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WinRAR\RarExtPackage.exe C:\Users\Admin\AppData\Local\Temp\Nonagon.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\wininit.exe C:\Windows\debug\DebugTracker.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\56085415360792 C:\Windows\debug\DebugTracker.exe N/A
File created C:\Program Files (x86)\Google\Update\DebugTracker.exe C:\Windows\debug\DebugTracker.exe N/A
File created C:\Program Files (x86)\Google\Update\baf0f489ef151f C:\Windows\debug\DebugTracker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\debug\VUQLBafFd1oU7p3k.vbe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\cs2.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\DebugTracker.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\VUQLBafFd1oU7p3k.vbe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\wtf1.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\wtf1.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\wtf.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\wtf.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\cs2.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\__tmp_rar_sfx_access_check_240610671 C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat C:\Program Files\WinRAR\RarExtPackage.exe N/A
File opened for modification C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat C:\Program Files\WinRAR\RarExtPackage.exe N/A
File created C:\Windows\debug\DebugTracker.exe C:\Program Files\WinRAR\RarExtPackage.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\WinRAR\RarExtPackage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\Program Files\WinRAR\RarExtPackage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\debug\wtf.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\cs2.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\Windows\debug\DebugTracker.exe N/A
N/A N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
N/A N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
N/A N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
N/A N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
N/A N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
N/A N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
N/A N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
N/A N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\debug\wtf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\wtf1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\cs2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\debug\DebugTracker.exe N/A
Token: SeDebugPrivilege N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Nonagon.exe C:\Program Files\WinRAR\RarExtPackage.exe
PID 2728 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Nonagon.exe C:\Program Files\WinRAR\RarExtPackage.exe
PID 2728 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Nonagon.exe C:\Program Files\WinRAR\RarExtPackage.exe
PID 4320 wrote to memory of 4068 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\SysWOW64\WScript.exe
PID 4320 wrote to memory of 4068 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\SysWOW64\WScript.exe
PID 4320 wrote to memory of 4068 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\SysWOW64\WScript.exe
PID 4320 wrote to memory of 4596 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\wtf1.exe
PID 4320 wrote to memory of 4596 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\wtf1.exe
PID 4320 wrote to memory of 2156 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\wtf.exe
PID 4320 wrote to memory of 2156 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\wtf.exe
PID 4320 wrote to memory of 2008 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\cs2.exe
PID 4320 wrote to memory of 2008 N/A C:\Program Files\WinRAR\RarExtPackage.exe C:\Windows\debug\cs2.exe
PID 2008 wrote to memory of 4544 N/A C:\Windows\debug\cs2.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2008 wrote to memory of 4544 N/A C:\Windows\debug\cs2.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4544 wrote to memory of 4588 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4544 wrote to memory of 4588 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 5076 N/A C:\Windows\debug\wtf1.exe C:\Windows\System32\Wbem\wmic.exe
PID 4596 wrote to memory of 5076 N/A C:\Windows\debug\wtf1.exe C:\Windows\System32\Wbem\wmic.exe
PID 4068 wrote to memory of 5468 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 5468 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 5468 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5468 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\debug\DebugTracker.exe
PID 5468 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\debug\DebugTracker.exe
PID 2188 wrote to memory of 940 N/A C:\Windows\debug\DebugTracker.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 2188 wrote to memory of 940 N/A C:\Windows\debug\DebugTracker.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 940 wrote to memory of 1512 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 940 wrote to memory of 1512 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 940 wrote to memory of 3552 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 940 wrote to memory of 3552 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 2392 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 1512 wrote to memory of 2392 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 2392 wrote to memory of 3860 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 2392 wrote to memory of 3860 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 2392 wrote to memory of 2980 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 2392 wrote to memory of 2980 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 3860 wrote to memory of 2136 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 3860 wrote to memory of 2136 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 2136 wrote to memory of 920 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 2136 wrote to memory of 920 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 2136 wrote to memory of 4504 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 2136 wrote to memory of 4504 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 920 wrote to memory of 5792 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 920 wrote to memory of 5792 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 5792 wrote to memory of 1192 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 5792 wrote to memory of 1192 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 5792 wrote to memory of 4324 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 5792 wrote to memory of 4324 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 1192 wrote to memory of 1400 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 1192 wrote to memory of 1400 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 1400 wrote to memory of 5692 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 1400 wrote to memory of 5692 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 1400 wrote to memory of 240 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 1400 wrote to memory of 240 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 5692 wrote to memory of 3940 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 5692 wrote to memory of 3940 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 3940 wrote to memory of 1212 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 3940 wrote to memory of 1212 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 3940 wrote to memory of 460 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 3940 wrote to memory of 460 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 1212 wrote to memory of 4644 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 1212 wrote to memory of 4644 N/A C:\Windows\System32\WScript.exe C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe
PID 4644 wrote to memory of 4796 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 4644 wrote to memory of 4796 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe
PID 4644 wrote to memory of 5012 N/A C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe

"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"

C:\Program Files\WinRAR\RarExtPackage.exe

"C:\Program Files\WinRAR\RarExtPackage.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"

C:\Windows\debug\wtf1.exe

"C:\Windows\debug\wtf1.exe"

C:\Windows\debug\wtf.exe

"C:\Windows\debug\wtf.exe"

C:\Windows\debug\cs2.exe

"C:\Windows\debug\cs2.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x224,0x228,0x22c,0x220,0x230,0x7ffa3f80dcf8,0x7ffa3f80dd04,0x7ffa3f80dd10

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "

C:\Windows\debug\DebugTracker.exe

"C:\Windows\debug\DebugTracker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DebugTrackerD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\DebugTracker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DebugTracker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\DebugTracker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DebugTrackerD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\DebugTracker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cs2c" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cs2.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cs2" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cs2.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cs2c" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cs2.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\a5f1eda8760fc790760b7e5a7f56\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\a5f1eda8760fc790760b7e5a7f56\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\a5f1eda8760fc790760b7e5a7f56\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

"C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0933bdab-ea90-42f9-bd29-d3ca29fb21a9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac7b2aab-44f4-44df-ad75-8f2817e95493.vbs"

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71a646e0-9f52-4dff-bbf5-ebb4b627b635.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed56f984-9f35-4988-b7d1-d9c0e0095f8b.vbs"

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31504268-7052-401e-a8af-83bbfe59b09d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc40bb04-abaf-479d-aa09-fec94fa0909e.vbs"

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe9b3dd4-5b3c-4d35-a67b-641a5a0fc11f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d22ee6db-3533-4bfb-92ea-0feaf69ffac6.vbs"

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9f27613-e0d9-40c0-a233-d090cc26085c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02277b7d-526d-44f3-87e9-6a0e7b9969da.vbs"

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fef3fecb-b164-4b72-a58a-586fa41a216b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac9bb014-4fb8-4117-bb57-9288ebe550b2.vbs"

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c74ceb65-6988-47cb-ab60-b79dea452fd7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fe7b0d5-f930-4cd3-9fdd-5bc36d7be8a2.vbs"

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\a5f1eda8760fc790760b7e5a7f56\cmd.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84a7e017-e1a2-47aa-999d-d6b19877f6e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e04ff47-b771-4664-b85a-841e0a0888c1.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 utka.xyz udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 get.geojs.io udp
US 104.26.0.100:443 get.geojs.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp
US 8.8.8.8:53 gsfaggsagsgasfgg.x10.mx udp

Files

C:\Program Files\WinRAR\RarExtPackage.exe

MD5 84d934c68349e798f58a35df1f2f90c2
SHA1 be0974e4699ff06f52f0d5d380bc9cb8f0c50e19
SHA256 3b7218b64c14fc5125a93b4f898886d3bb9c1bb69f0696ae557bb2b79fe8e8f6
SHA512 83ea4479e8536b015a628c0a8ca0662b269875f303bd0193ad551022c04105406001990f3b261c8201ec031d92047450debe1c915a2e361eddb80b48b876d335

C:\Windows\debug\VUQLBafFd1oU7p3k.vbe

MD5 f9ed37928a0d95692faa9f69d0cd5cb7
SHA1 77c2968f3d2ba8afb128307105861734b4fce286
SHA256 61ac997d454ae62b6025b60e2ac9f1c7031cf380f3d9d1395de3cd816d35554a
SHA512 cbe7954def42abac38dde5ba9f9fbc341e8e9161a9b0826e9fe779541fdf2b0057402d9c3dab608a9b01dc9c3229a122e13ac71bd52be978adbd628d16867b79

C:\Windows\debug\wtf1.exe

MD5 187795687849f43176bc94aff323435f
SHA1 22e3d510df771291a2a256946ac6268ccf5d10be
SHA256 d7ebf40f863050be539cd8cbba2463c48235aa509819ed3b066a1c0b4974203e
SHA512 b099c9cbd3f5d9cd44dae19c66e88d32e5c290fa3f8cd6818397b54f2f73d318738d96b295053254bed4f254a2ebdfb2a8e75402e61314343060447888d781a3

C:\Windows\debug\wtf.exe

MD5 47ba0b9187c62981c229372477e2b2a0
SHA1 9c861ee21eb30ec6aa35b02bd437f70c2ac25eee
SHA256 93a0a5f1d487c699ba0809428c732bb0d741bc41b4459490b24d9b03ee3183fc
SHA512 2a65a3b52751ce99918ab3e01db1cc21e08e5a5069fd0256a6601a3aee5d2d75ce842c9eeb147cd7d76612b0ab8f86adee2eab3fea8e410f55c8061a690585c7

memory/4596-72-0x000001821F970000-0x000001821F9B0000-memory.dmp

C:\Windows\debug\cs2.exe

MD5 509f2eeba11a964fa8d22ab6994cee78
SHA1 544321089bbc1cbc6e51eabcfcb0c042f797142c
SHA256 21c7ecd4074b68a2d59b6b241037392a0f1ee2d6450fa3c72a3895f3563d5a2a
SHA512 f6eed65466977ef5b775e9dd1c204790b901e64bebc648e71b38062dd5d9207cc53fbfa4bf7b170dfc1fa41bfb1570cb6527863d9abe5d03efc49eedc5487cf0

memory/2156-79-0x00000193CB220000-0x00000193CB266000-memory.dmp

memory/2008-83-0x0000026E6C1F0000-0x0000026E6C218000-memory.dmp

C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat

MD5 159dec09c9bf063b00e4952d8665a601
SHA1 38bac5d19ebd3822e23b07932cd65ba7c2c08a9c
SHA256 f380d068932fe95e35273007cae8acc6d71bd62446c7fa7f0ed0da6bcb7b0c9c
SHA512 5cb79038ee2f712aead2b6180af25305326044711d9f8270b4075eabe7635c096eb8c4e22182633d639abf29293d28a7187d5c8bb5726cd6a9707b48961df073

C:\Windows\debug\DebugTracker.exe

MD5 22cbb5402a44f058c9176e04aa74b5f6
SHA1 10838c4611974ba2a5382442677dcf679840ecdd
SHA256 5d1930426e5e41548bcc214c4298c96028ea71d2a83f755e50fa5756c35a615a
SHA512 10d0693f4c6ff9cbcdf5b4ec8b0c690f11d9463c834c94fc7659bf9a89edae9c0b951e55f5909344caf4cccc1ea8d7635b58126cb3667847a290b4f0ac49f0a0

memory/2188-89-0x00000000008D0000-0x00000000009C2000-memory.dmp

memory/2188-90-0x0000000001220000-0x000000000122A000-memory.dmp

memory/2188-91-0x0000000001240000-0x000000000124E000-memory.dmp

memory/2188-92-0x0000000001250000-0x0000000001258000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0933bdab-ea90-42f9-bd29-d3ca29fb21a9.vbs

MD5 3098968e80943bc4c8ba6ede4fe63639
SHA1 bdc8453b4e2b57e3e0a66d466434016646d2f004
SHA256 9b546665fb987cba9b933a6f2ce18ccdb174004c485090856e45ba3e3e2b3964
SHA512 1e0cee09c37aa90bdd0a872272c7172ef3bde51bf87951be9ed312f54c44e7ebcff4afa06562ccdfc01e006b20b80b4d09d2cbe669f5a3d8fffa1d2c97aa6766

C:\Users\Admin\AppData\Local\Temp\ac7b2aab-44f4-44df-ad75-8f2817e95493.vbs

MD5 a04acf4f4449ed600781d672690362a0
SHA1 02d84ccc5b834c37643ae61886e74ac90c2b7362
SHA256 c8e2ca2dec9c0748703c45c231255d85fda13274ace9b397f087636bb64074bc
SHA512 14c5ba14feb25dc0eef3bb414ddc0f9b91ff7c180e6e3d93c28fc634c27a6467b28bf554c9bd548f7f28ee70b10ba89cccbfd44de1b652cdae3d92144d37c91c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

MD5 ff7ce793bcf47827eb5d4b597959a841
SHA1 5af4410d4ae6fff5f90030556de31a3dfe620845
SHA256 3cd72e1b802edf5156a5cb51a21acce032fc7ba0fe6a500027674d833373e0f8
SHA512 ec106eb5dfc3b27d4dc9ac08f77a5afe1a2aa7cba75f648b4c417ad89b78c7e469f6a18ac1f42acbc821d8a07bef0ae067a4f3ff0dc0b71c54379d8877947de6

C:\Users\Admin\AppData\Local\Temp\71a646e0-9f52-4dff-bbf5-ebb4b627b635.vbs

MD5 458c96140a6cff3831e0bc644a216f87
SHA1 597c23870a864cbba1d05f362671b84d853fa0d4
SHA256 7571bfc883a64c3903d9ecfb40ff98994f9f2eab79ee9f1f3490ead018ca965a
SHA512 923f67e436d97c5eb991c15fa8e24bc8a7b29a8a489a538556ad0c3d5abb6003b3a2f8b067d57269a31fe938540641cfda975b7ee4a1a6d60ebecb08a36fcfb6

C:\Users\Admin\AppData\Local\Temp\31504268-7052-401e-a8af-83bbfe59b09d.vbs

MD5 f762818b3aee80fb1305781894972079
SHA1 0efbc967f0ca75c69198c8ce2629ad2827b87f58
SHA256 23b7e985a45a4b933b943dce77c10533cac76e976ec1cd527c01533adaf92585
SHA512 52dca854cd544e46a30a3128ae7e35a79bcef2614927de47d0fe5401380aa7889f497454af5cde459900d246a2a21b2613a272d9e8c005c8b606bf39fcec2107

C:\Users\Admin\AppData\Local\Temp\fe9b3dd4-5b3c-4d35-a67b-641a5a0fc11f.vbs

MD5 2c71bda41b133133d18c1997d4d48628
SHA1 c22c2194df77e478561b7796ac4732f3e18b8398
SHA256 cba4d0905b65797a29a25356b6739ae76506c6c189978b5f56051ad9db6a2c20
SHA512 b2cec89a1698a1d9ea81fbc3a1a9007fe4519bf18cb76af6f576a76eb526295ed205b35da4af13e2f7213eea6e41b32d99b16bfa2f2f88cced0333e205747c64

C:\Users\Admin\AppData\Local\Temp\c9f27613-e0d9-40c0-a233-d090cc26085c.vbs

MD5 15f7df3606c966ccd945aef7b70e038a
SHA1 d161a1d1a6fd272eb0c3a00e01d87f3e8a7ed0bb
SHA256 567cf22e43046d0c79557d4a592123b637db9510dab7f22892f7389096ca1dc9
SHA512 2ef8309b9fab3fb3f415b4dcf2983c2cc96ab78185a529028822ffc3e615fd8623dc398638c6f21b1b79a961160b470fa977730a18ecc29463f0968035fc2430

C:\Users\Admin\AppData\Local\Temp\fef3fecb-b164-4b72-a58a-586fa41a216b.vbs

MD5 e1344ab5ea9e499a45744e98ec5216bc
SHA1 cbc85b0b570d95518971a0d24b5ed77421f8b5de
SHA256 49a5997c6908a0fecf28b5111cb9d9225ea10d59d3c951e440e8b9951831269f
SHA512 bbd8952a3316633ed69cd8304fba4ca6db2162081888e38a5840e266938cc46a7c8d28ae69bdfa73427c17dfdb0a44b6133d80e382c0a12456b403507bbdaae6

C:\Users\Admin\AppData\Local\Temp\c74ceb65-6988-47cb-ab60-b79dea452fd7.vbs

MD5 353b5a8159cc8fc21e979a98ab97f195
SHA1 4653c165b2f5f37bad8ad669ec368d345643df09
SHA256 bc57564bfc3891c35d6ae4660249f46f9ef813711b2635d75fb8df94bca47fcd
SHA512 2505358747ff18434f85406b11e817092a09f823e3f079cdd599871114687a5fe64525848f7c2665b7596efc07240f39b2bdb23e99fe8c1568929bac10a69a44

C:\Users\Admin\AppData\Local\Temp\84a7e017-e1a2-47aa-999d-d6b19877f6e4.vbs

MD5 640a93cdf72766334c6bede77751edfe
SHA1 057cef8ea5071c4f3f5959adafaf106a954feaa1
SHA256 7df060ec60d150b09a0c31e7a7ad58cf0a3077e781743f0b56d45742528445c3
SHA512 83c1db5c7f05b4bb3d811791630ab1ac7509a7fc4c4f8f1a7143a5819ea7d6cfa687e8b7046150ebcbee3a12ab154523c39e819a5006e8d204b39e4277195162