Malware Analysis Report

2024-10-23 17:13

Sample ID 210928-gm2nmaagbn
Target info.txt.js
SHA256 7f99624842278a1f965ff411dc0efe4c26b1bb2d22099ab7fc87f5d8508b0413
Tags
taurus discovery evasion persistence spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f99624842278a1f965ff411dc0efe4c26b1bb2d22099ab7fc87f5d8508b0413

Threat Level: Known bad

The file info.txt.js was found to be: Known bad.

Malicious Activity Summary

taurus discovery evasion persistence spyware stealer themida trojan

Taurus Stealer

Taurus Stealer Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Deletes itself

Themida packer

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-28 05:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-28 05:56

Reported

2021-09-28 05:58

Platform

win7-en-20210920

Max time kernel

149s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\info.txt.js

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\rYbykTEK = "C:\\Users\\Admin\\AppData\\Roaming\\rtbGdENb.jse" C:\Windows\system32\wscript.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1684 set thread context of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2012 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2024 wrote to memory of 2012 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2024 wrote to memory of 2012 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 1684 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2012 wrote to memory of 1684 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2012 wrote to memory of 1684 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2012 wrote to memory of 1684 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2012 wrote to memory of 1684 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2012 wrote to memory of 1684 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2012 wrote to memory of 1684 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1684 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 620 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe
PID 620 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe
PID 620 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe
PID 620 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe
PID 620 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1628 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1628 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1628 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 620 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1572 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe C:\Windows\system32\cmd.exe
PID 2024 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2024 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1572 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe C:\Windows\System32\cmd.exe
PID 1572 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe C:\Windows\System32\cmd.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\info.txt.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\rtbGdENb.jse"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe

"C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\ekfelBGb.exe"

C:\Windows\SysWOW64\cmd.exe

/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\ekfelBGb.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 3

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Users\Admin\AppData\Local\Temp\services32.exe

"C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\taskeng.exe

taskeng.exe {FADEC855-AEF5-41DB-97F7-86119F6C9C66} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 35.194.62.150:80 35.194.62.150 tcp
US 8.8.8.8:53 software.offerday.org udp
US 172.67.139.57:443 software.offerday.org tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 8.8.8.8:53 topsekret555.club udp
US 172.67.136.181:443 topsekret555.club tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.216.207.99:443 bbuseruploads.s3.amazonaws.com tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp

Files

memory/2024-53-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

memory/2012-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\rtbGdENb.jse

MD5 0c16a5e293dcef0d5161f188ca8b1ed9
SHA1 c3ca13590f8c3964de3e639aa908ba9601fe2509
SHA256 3522c792d0b76231320540567d2fe4084a29060e14121635e68b90ee68c9a6d4
SHA512 4eed53d7d260497727c83b9876dad6ef0482474ac99291751357014006aaa581e1f91aa53a2fefb9bef8db5c364653375e42eacb554b698ff519b27aef1d84fb

memory/1684-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 68106119e2ebb4bf67817e6549871a74
SHA1 be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA256 07f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA512 3b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 68106119e2ebb4bf67817e6549871a74
SHA1 be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA256 07f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA512 3b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9

memory/1684-59-0x0000000075821000-0x0000000075823000-memory.dmp

memory/1684-60-0x0000000001290000-0x0000000001291000-memory.dmp

memory/1684-62-0x0000000005040000-0x0000000005041000-memory.dmp

memory/1684-63-0x0000000000620000-0x0000000000636000-memory.dmp

memory/1684-64-0x00000000055B0000-0x0000000005618000-memory.dmp

memory/1684-65-0x0000000000F50000-0x0000000000F91000-memory.dmp

\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 68106119e2ebb4bf67817e6549871a74
SHA1 be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA256 07f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA512 3b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9

memory/620-67-0x0000000000400000-0x000000000043A000-memory.dmp

memory/620-68-0x000000000041EB74-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 68106119e2ebb4bf67817e6549871a74
SHA1 be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA256 07f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA512 3b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9

memory/620-71-0x0000000000400000-0x000000000043A000-memory.dmp

\Users\Admin\AppData\Local\Temp\Clfbibif.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/1572-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/1628-75-0x0000000000000000-mapping.dmp

memory/1940-76-0x0000000000000000-mapping.dmp

memory/2004-77-0x0000000000000000-mapping.dmp

memory/1572-79-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/1572-80-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/1196-81-0x0000000000000000-mapping.dmp

memory/1616-82-0x0000000000000000-mapping.dmp

memory/1572-83-0x000000013FD90000-0x000000013FD91000-memory.dmp

memory/2024-85-0x0000000000000000-mapping.dmp

memory/1404-86-0x0000000000000000-mapping.dmp

memory/1404-88-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

memory/1404-91-0x0000000002812000-0x0000000002814000-memory.dmp

memory/1404-90-0x0000000002810000-0x0000000002812000-memory.dmp

memory/1404-92-0x0000000002814000-0x0000000002817000-memory.dmp

memory/1572-89-0x000000001C590000-0x000000001C592000-memory.dmp

memory/1404-93-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

memory/1952-94-0x0000000000000000-mapping.dmp

memory/1404-96-0x000000000281B000-0x000000000283A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a77a6f427f7f62529e868b7cf814ee98
SHA1 12e0df4a3799d2cdef29fddc254a871c04df008c
SHA256 1b57e439724c1fe1e3324c35ad380bfa88d342211dd2b2dfa48e3541349796a4
SHA512 c289160ddc477f951cf4e5fb2ccf39af77de6f5144f3e7cdd05d2d8cd14c8fb38a143134ed64c1887fc52bcc863f88fc838c19f8688546ace6d06a9bb0811445

memory/1952-98-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

memory/472-99-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a77a6f427f7f62529e868b7cf814ee98
SHA1 12e0df4a3799d2cdef29fddc254a871c04df008c
SHA256 1b57e439724c1fe1e3324c35ad380bfa88d342211dd2b2dfa48e3541349796a4
SHA512 c289160ddc477f951cf4e5fb2ccf39af77de6f5144f3e7cdd05d2d8cd14c8fb38a143134ed64c1887fc52bcc863f88fc838c19f8688546ace6d06a9bb0811445

memory/1952-102-0x0000000001E02000-0x0000000001E04000-memory.dmp

memory/1952-105-0x0000000001E04000-0x0000000001E07000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1952-101-0x0000000001E00000-0x0000000001E02000-memory.dmp

memory/472-108-0x00000000028E2000-0x00000000028E4000-memory.dmp

memory/472-106-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

memory/472-107-0x00000000028E0000-0x00000000028E2000-memory.dmp

memory/472-109-0x00000000028E4000-0x00000000028E7000-memory.dmp

memory/1952-110-0x0000000001E0B000-0x0000000001E2A000-memory.dmp

memory/472-111-0x000000001B720000-0x000000001BA1F000-memory.dmp

memory/472-112-0x00000000028EB000-0x000000000290A000-memory.dmp

memory/376-113-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a77a6f427f7f62529e868b7cf814ee98
SHA1 12e0df4a3799d2cdef29fddc254a871c04df008c
SHA256 1b57e439724c1fe1e3324c35ad380bfa88d342211dd2b2dfa48e3541349796a4
SHA512 c289160ddc477f951cf4e5fb2ccf39af77de6f5144f3e7cdd05d2d8cd14c8fb38a143134ed64c1887fc52bcc863f88fc838c19f8688546ace6d06a9bb0811445

memory/376-116-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

memory/376-117-0x0000000002750000-0x0000000002752000-memory.dmp

memory/376-119-0x0000000002752000-0x0000000002754000-memory.dmp

memory/376-118-0x000000000275B000-0x000000000277A000-memory.dmp

memory/376-120-0x0000000002754000-0x0000000002757000-memory.dmp

memory/1288-121-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

memory/1732-123-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

memory/1732-126-0x000000013FF50000-0x000000013FF51000-memory.dmp

memory/720-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Clfbibif.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/1752-130-0x0000000000000000-mapping.dmp

memory/1732-131-0x000000001BCF0000-0x000000001BCF2000-memory.dmp

\Users\Admin\AppData\Local\Temp\services32.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/2016-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/1972-135-0x0000000000000000-mapping.dmp

memory/1704-136-0x0000000000000000-mapping.dmp

memory/2016-138-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/2016-140-0x000000013F610000-0x000000013F611000-memory.dmp

memory/2016-139-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/916-142-0x0000000000000000-mapping.dmp

memory/852-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a77a6f427f7f62529e868b7cf814ee98
SHA1 12e0df4a3799d2cdef29fddc254a871c04df008c
SHA256 1b57e439724c1fe1e3324c35ad380bfa88d342211dd2b2dfa48e3541349796a4
SHA512 c289160ddc477f951cf4e5fb2ccf39af77de6f5144f3e7cdd05d2d8cd14c8fb38a143134ed64c1887fc52bcc863f88fc838c19f8688546ace6d06a9bb0811445

memory/852-146-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

memory/852-148-0x0000000002320000-0x0000000002322000-memory.dmp

memory/852-149-0x0000000002322000-0x0000000002324000-memory.dmp

memory/2016-147-0x00000000007B0000-0x00000000007B2000-memory.dmp

memory/852-150-0x0000000002324000-0x0000000002327000-memory.dmp

memory/880-151-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 13af8161b935c620a73d36dd00327ce2
SHA1 fad232626b5f5ab88855b16427d8fb3efea9723b
SHA256 6852687d98931c0baac4f20ffaf670ac548e93066d844d7b22c91f220e94a43c
SHA512 8a443cc9957a585bedac7102c3d9f45ea59dd5208be27ee7451198027d5ce9ecb9215b87122db3c202b63543a49268d34f0eb98cc7869886feec9e4cc4d02a9a

memory/852-156-0x000000000232B000-0x000000000234A000-memory.dmp

memory/880-157-0x0000000002580000-0x0000000002582000-memory.dmp

memory/880-158-0x0000000002582000-0x0000000002584000-memory.dmp

memory/880-155-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

memory/880-159-0x0000000002584000-0x0000000002587000-memory.dmp

memory/880-160-0x000000001B730000-0x000000001BA2F000-memory.dmp

memory/2024-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 13af8161b935c620a73d36dd00327ce2
SHA1 fad232626b5f5ab88855b16427d8fb3efea9723b
SHA256 6852687d98931c0baac4f20ffaf670ac548e93066d844d7b22c91f220e94a43c
SHA512 8a443cc9957a585bedac7102c3d9f45ea59dd5208be27ee7451198027d5ce9ecb9215b87122db3c202b63543a49268d34f0eb98cc7869886feec9e4cc4d02a9a

memory/880-164-0x000000000258B000-0x00000000025AA000-memory.dmp

memory/2024-167-0x0000000002762000-0x0000000002764000-memory.dmp

memory/2024-165-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

memory/2024-166-0x0000000002760000-0x0000000002762000-memory.dmp

memory/2024-168-0x0000000002764000-0x0000000002767000-memory.dmp

memory/1640-169-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 13af8161b935c620a73d36dd00327ce2
SHA1 fad232626b5f5ab88855b16427d8fb3efea9723b
SHA256 6852687d98931c0baac4f20ffaf670ac548e93066d844d7b22c91f220e94a43c
SHA512 8a443cc9957a585bedac7102c3d9f45ea59dd5208be27ee7451198027d5ce9ecb9215b87122db3c202b63543a49268d34f0eb98cc7869886feec9e4cc4d02a9a

memory/2024-171-0x000000000276B000-0x000000000278A000-memory.dmp

memory/1640-174-0x000007FEED7C0000-0x000007FEEE31D000-memory.dmp

memory/1640-175-0x000000001B930000-0x000000001BC2F000-memory.dmp

memory/1640-179-0x000000000296B000-0x000000000298A000-memory.dmp

memory/1640-177-0x0000000002962000-0x0000000002964000-memory.dmp

memory/1640-178-0x0000000002964000-0x0000000002967000-memory.dmp

memory/1640-176-0x0000000002960000-0x0000000002962000-memory.dmp

memory/740-180-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

memory/2028-182-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

memory/2028-185-0x000000013FC60000-0x000000013FC61000-memory.dmp

memory/1180-187-0x0000000000000000-mapping.dmp

memory/1556-188-0x0000000000000000-mapping.dmp

memory/1056-190-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 812beec5864b07c7731ef249ea507f80
SHA1 b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA256 76431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA512 87afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 812beec5864b07c7731ef249ea507f80
SHA1 b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA256 76431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA512 87afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 812beec5864b07c7731ef249ea507f80
SHA1 b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA256 76431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA512 87afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2

memory/1056-193-0x000000013F410000-0x000000013F411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/2028-196-0x000000001BE10000-0x000000001BE12000-memory.dmp

memory/1056-197-0x0000000002350000-0x0000000002352000-memory.dmp

memory/2044-198-0x0000000000000000-mapping.dmp

memory/276-199-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-28 05:56

Reported

2021-09-28 05:58

Platform

win10v20210408

Max time kernel

149s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\info.txt.js

Signatures

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\rYbykTEK = "C:\\Users\\Admin\\AppData\\Roaming\\rtbGdENb.jse" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\wscript.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4764 set thread context of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4652 wrote to memory of 4700 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4652 wrote to memory of 4700 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4700 wrote to memory of 4764 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4700 wrote to memory of 4764 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4700 wrote to memory of 4764 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4764 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4764 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4764 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4764 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4764 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4764 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4764 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4764 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4764 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4268 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe
PID 4268 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe
PID 4268 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 3344 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3344 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3344 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4268 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 804 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 804 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 676 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 676 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4116 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe C:\Windows\SYSTEM32\cmd.exe
PID 4116 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe C:\Windows\SYSTEM32\cmd.exe
PID 1688 wrote to memory of 1860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 1860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4076 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4076 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 2320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 2320 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe C:\Windows\System32\cmd.exe
PID 4116 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe C:\Windows\System32\cmd.exe
PID 4276 wrote to memory of 5024 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost32.exe
PID 4276 wrote to memory of 5024 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost32.exe
PID 5024 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe C:\Windows\System32\cmd.exe
PID 5024 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe C:\Windows\System32\cmd.exe
PID 4256 wrote to memory of 508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4256 wrote to memory of 508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5024 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 5024 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 5024 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe C:\Windows\System32\cmd.exe
PID 5024 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe C:\Windows\System32\cmd.exe
PID 3832 wrote to memory of 804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 3832 wrote to memory of 804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 488 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\SYSTEM32\cmd.exe
PID 488 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\SYSTEM32\cmd.exe
PID 1132 wrote to memory of 808 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1132 wrote to memory of 808 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1132 wrote to memory of 2340 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1132 wrote to memory of 2340 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\info.txt.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\rtbGdENb.jse"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe

"C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\ajHGkbbC.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe"

C:\Windows\SysWOW64\cmd.exe

/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\ajHGkbbC.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 3

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe"

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Users\Admin\AppData\Local\Temp\services32.exe

"C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe

C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe"

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Users\Admin\AppData\Local\Temp\services32.exe

"C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 35.194.62.150:80 35.194.62.150 tcp
US 8.8.8.8:53 software.offerday.org udp
US 172.67.139.57:443 software.offerday.org tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 8.8.8.8:53 topsekret555.club udp
US 172.67.136.181:443 topsekret555.club tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.217.41.76:443 bbuseruploads.s3.amazonaws.com tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp
US 35.194.62.150:80 35.194.62.150 tcp

Files

memory/4700-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\rtbGdENb.jse

MD5 0c16a5e293dcef0d5161f188ca8b1ed9
SHA1 c3ca13590f8c3964de3e639aa908ba9601fe2509
SHA256 3522c792d0b76231320540567d2fe4084a29060e14121635e68b90ee68c9a6d4
SHA512 4eed53d7d260497727c83b9876dad6ef0482474ac99291751357014006aaa581e1f91aa53a2fefb9bef8db5c364653375e42eacb554b698ff519b27aef1d84fb

memory/4764-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 68106119e2ebb4bf67817e6549871a74
SHA1 be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA256 07f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA512 3b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 68106119e2ebb4bf67817e6549871a74
SHA1 be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA256 07f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA512 3b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9

memory/4764-119-0x0000000000490000-0x0000000000491000-memory.dmp

memory/4764-121-0x0000000005280000-0x0000000005281000-memory.dmp

memory/4764-122-0x0000000004E20000-0x0000000004E21000-memory.dmp

memory/4764-123-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

memory/4764-124-0x0000000004D80000-0x000000000527E000-memory.dmp

memory/4764-125-0x0000000005030000-0x0000000005046000-memory.dmp

memory/4764-126-0x00000000072E0000-0x00000000072E1000-memory.dmp

memory/4764-127-0x00000000076E0000-0x0000000007748000-memory.dmp

memory/4764-128-0x0000000009D70000-0x0000000009DB1000-memory.dmp

memory/4268-129-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4268-130-0x000000000041EB74-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 68106119e2ebb4bf67817e6549871a74
SHA1 be2b0aa9150887fadd85a4c5795501e83a4e1ef4
SHA256 07f697a46c26e3b4149a0db587227d571f5ffae8e013276c5ca91618d5b8b0f4
SHA512 3b4ffac36c69e8bae20991d8fff7c2bc5734e944ea37d5212aedb1d319e430c373c310d0ee2460f02b08b56c915f1a507faae33f4e001e3a3bc5a48ee508dfa9

memory/4268-132-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/4116-133-0x0000000000000000-mapping.dmp

memory/3344-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/804-137-0x0000000000000000-mapping.dmp

memory/676-139-0x0000000000000000-mapping.dmp

memory/908-138-0x0000000000000000-mapping.dmp

memory/4116-141-0x00007FFA00000000-0x00007FFA00002000-memory.dmp

memory/4116-142-0x00007FF7AB550000-0x00007FF7AB551000-memory.dmp

memory/4116-143-0x00007FFA00030000-0x00007FFA00031000-memory.dmp

memory/1420-146-0x0000000000000000-mapping.dmp

memory/1440-145-0x0000000000000000-mapping.dmp

memory/1688-147-0x0000000000000000-mapping.dmp

memory/1860-148-0x0000000000000000-mapping.dmp

memory/1860-154-0x00000267D0550000-0x00000267D0551000-memory.dmp

memory/4116-158-0x000000001C3C0000-0x000000001C3C2000-memory.dmp

memory/1860-160-0x00000267D0593000-0x00000267D0595000-memory.dmp

memory/1860-159-0x00000267D0590000-0x00000267D0592000-memory.dmp

memory/1860-161-0x00000267D27F0000-0x00000267D27F1000-memory.dmp

memory/1860-181-0x00000267D0596000-0x00000267D0598000-memory.dmp

memory/4076-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae34bfaec7ca41a541a86769cda162c3
SHA1 2ccc69222ef97c717884e660a4e96d9b26c17b8a
SHA256 eec4e56da4f2e13509865d2db49b11acea86f6c6d453fe16b9ef4c2513e6dd4e
SHA512 22c37afceec9bd8ebd7c8231e67c87e2518465c3364098a20c9cdb91860a05c23f75d40957982dc21527ebdb9b08e9951764bb2b2e03d1c1c76ef1c6ca8b94a5

memory/1860-205-0x00000267D0598000-0x00000267D0599000-memory.dmp

memory/4076-207-0x000002365A476000-0x000002365A478000-memory.dmp

memory/4076-206-0x000002365A470000-0x000002365A472000-memory.dmp

memory/4076-208-0x000002365A473000-0x000002365A475000-memory.dmp

memory/4580-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6e64f69f7116c7ecfa11bf3b76eacd82
SHA1 7f9b7cbe7fed4033d17a5b630037a2e1ea3514ba
SHA256 51f6683af47928410d83fb9bb5d0df108c71768dfa272ad6f031563845aa0b10
SHA512 b6ab02238904390d588f04afc7a88b3f92cb2ce8965a2f7c697d8a39ae19a013ebe5ff647e0e11a289f46ec9230feb3e546aaf03bb31bd2481473fbcb57854e7

memory/4076-244-0x000002365A478000-0x000002365A479000-memory.dmp

memory/4580-245-0x0000012A6AE10000-0x0000012A6AE12000-memory.dmp

memory/4580-246-0x0000012A6AE13000-0x0000012A6AE15000-memory.dmp

memory/2320-273-0x0000000000000000-mapping.dmp

memory/4580-274-0x0000012A6AE16000-0x0000012A6AE18000-memory.dmp

memory/4580-275-0x0000012A6AE18000-0x0000012A6AE19000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1df9203dec73b60d25bc69dd05ff93d1
SHA1 ec91da05d304013e30187061184145191b589876
SHA256 b52c9eb27659f1582eb98c1b74ab575ace1366195408b72965e8cb97a4a920e8
SHA512 ab44fceee9903428bd6439c353940c7dea8144a3bccce94ce61dd9db40cd7fe353a52a86d85455ed4e340434d10a23dc6cd1d037d56fa77e2bcf27734a28a30d

memory/2320-310-0x00000238FCF30000-0x00000238FCF32000-memory.dmp

memory/2320-311-0x00000238FCF33000-0x00000238FCF35000-memory.dmp

memory/2320-312-0x00000238FCF36000-0x00000238FCF38000-memory.dmp

memory/2320-316-0x00000238FCF38000-0x00000238FCF39000-memory.dmp

memory/4276-317-0x0000000000000000-mapping.dmp

memory/5024-318-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

memory/5024-321-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/5024-323-0x00000000016A0000-0x00000000016A1000-memory.dmp

memory/4256-324-0x0000000000000000-mapping.dmp

memory/508-325-0x0000000000000000-mapping.dmp

memory/5024-326-0x0000000002060000-0x0000000002062000-memory.dmp

memory/488-327-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/3832-330-0x0000000000000000-mapping.dmp

memory/488-332-0x00007FFA00000000-0x00007FFA00002000-memory.dmp

memory/488-333-0x00007FF714450000-0x00007FF714451000-memory.dmp

memory/488-334-0x00007FFA00030000-0x00007FFA00031000-memory.dmp

memory/1132-337-0x0000000000000000-mapping.dmp

memory/804-336-0x0000000000000000-mapping.dmp

memory/808-338-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb7928905776773c220305225557a701
SHA1 1fb6d6e6998e23b6cae390ba0cae116a1845a645
SHA256 351f5a519385ec524f32111d00c99df8040368d4efa0575df6fd39afe3cb62b3
SHA512 53babf61e9cecb1682b1bdbe6e4c6521494e2cc98a095b657d401b7c71390412e221eb46ecb6742935c6a0fffda51079ab5559cbd797ab641527a87103a26ac2

memory/808-352-0x000001B9E04C0000-0x000001B9E04C2000-memory.dmp

memory/488-351-0x000000001C9D0000-0x000000001C9D2000-memory.dmp

memory/808-353-0x000001B9E04C3000-0x000001B9E04C5000-memory.dmp

memory/2340-379-0x0000000000000000-mapping.dmp

memory/808-386-0x000001B9E04C8000-0x000001B9E04C9000-memory.dmp

memory/808-385-0x000001B9E04C6000-0x000001B9E04C8000-memory.dmp

memory/2340-387-0x000001C3BF590000-0x000001C3BF592000-memory.dmp

memory/2340-388-0x000001C3BF593000-0x000001C3BF595000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f6e930897e81f65fec7971b25a4f66ee
SHA1 83abe18720f60aa0061c31e15d903a16e3f3c25b
SHA256 eafc38f99c8696c737d937ed1faa3d23859716dd57176b6adb30b525e3dd3d72
SHA512 19fb1e1fd7be0fe95acb0a1c24327406817bb7f76367b4cd9a705935192f2598fc7441a5e26a8f42dbaaa73317fa876a91357701cddec8ac5a1351bb3f61d290

memory/2340-418-0x000001C3BF596000-0x000001C3BF598000-memory.dmp

memory/4348-422-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bf024424b69e8cf7fdf0a6f0b5a80aa8
SHA1 ff801b505a0bb8b8358f1e1612e439ae8c6937b9
SHA256 5de064764c3a4bb9cbcb41c32816871d467bc9c38f2885ecbd2a923f774c37b1
SHA512 3fc7efffa9bd73b8a4812dec04d008687144b54034611e82dec2a591a3642a2bef902c38c78d69de96dfc2cab61e06516dad34db9233e37eb8bdf9cee50c8f3b

memory/2340-447-0x000001C3BF598000-0x000001C3BF599000-memory.dmp

memory/4348-450-0x000002596F810000-0x000002596F812000-memory.dmp

memory/4348-451-0x000002596F813000-0x000002596F815000-memory.dmp

memory/4348-453-0x000002596F816000-0x000002596F818000-memory.dmp

memory/4560-464-0x0000000000000000-mapping.dmp

memory/4348-465-0x000002596F818000-0x000002596F819000-memory.dmp

memory/1324-466-0x0000000000000000-mapping.dmp

memory/1616-467-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log

MD5 84f2160705ac9a032c002f966498ef74
SHA1 e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA256 7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512 f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

memory/3084-474-0x0000000000000000-mapping.dmp

memory/1336-476-0x0000000000000000-mapping.dmp

memory/4884-475-0x0000000000000000-mapping.dmp

memory/1336-479-0x00000000003A0000-0x00000000003A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 812beec5864b07c7731ef249ea507f80
SHA1 b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA256 76431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA512 87afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 812beec5864b07c7731ef249ea507f80
SHA1 b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA256 76431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA512 87afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2

memory/4272-481-0x0000000000000000-mapping.dmp

memory/4248-482-0x0000000000000000-mapping.dmp

memory/1336-484-0x000000001BE10000-0x000000001BE12000-memory.dmp

memory/1616-483-0x0000000003D10000-0x0000000003D12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dAIleCGE.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dAIleCGE.exe.log

MD5 d78293ab15ad25b5d6e8740fe5fd3872
SHA1 51b70837f90f2bff910daee706e6be8d62a3550e
SHA256 4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3
SHA512 1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

memory/2928-490-0x0000000000000000-mapping.dmp

memory/3316-491-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0cd4df8fe2e6449309c83254808a4b6d
SHA1 90581494d86c489162b9c5a55c2603a840000299
SHA256 81ef2b08959917560cb833d8e9b643fbd22ee05c787a4e256e408810d238aa0b
SHA512 c902ad3dafdc1a54caa6c7c5eba9894c095e193c75fe22dc3b03976eb15175fdbe7cdf0a834d672c7d5b08351b27978585b40b24742bb8ede73439340b4e5440

memory/3316-508-0x00000231B0483000-0x00000231B0485000-memory.dmp

memory/3316-507-0x00000231B0480000-0x00000231B0482000-memory.dmp

memory/1208-506-0x000000001CB20000-0x000000001CB22000-memory.dmp

memory/3316-509-0x00000231B0486000-0x00000231B0488000-memory.dmp

memory/636-533-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 79c99f8876b6fc126a259539d708c280
SHA1 d1f2e8aca9cdad5c93fc2f9fed7b0e7b32b2b35d
SHA256 0d1dff04e6eeb1e89dd8bd4ddc4ce64837bf606c208b6ee32b1be11714c5a5f1
SHA512 2af83ec0088c3537e0072a6dc2b1a5f841febde1827d77a5ced03682b8775d4b00f96b187ee5d32b790b51ff154aa3c8cb5de382dcbf6fc96dfc82cf1657135c

memory/636-546-0x000001AE3DD50000-0x000001AE3DD52000-memory.dmp

memory/3316-545-0x00000231B0488000-0x00000231B0489000-memory.dmp

memory/636-547-0x000001AE3DD53000-0x000001AE3DD55000-memory.dmp

memory/1280-574-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6bdcf508db1ed25ea381f48a8cff1739
SHA1 0af348feae2a948a9848b7d750b52bc3b848dc3f
SHA256 9cff0d5f035edef1a43f6e6ef6b5b45bf6373f8400677579af4fe5f883a66589
SHA512 9cb8e873d28f859e3f08d74a3872eaf03cd29b5b3366c690418a733c6be55b7370068a2d4955d712ed8c2a0c28659179d236c1da8767907c5169dac4741ad863

memory/636-587-0x000001AE3DD58000-0x000001AE3DD59000-memory.dmp

memory/636-586-0x000001AE3DD56000-0x000001AE3DD58000-memory.dmp

memory/1280-589-0x000001FE68573000-0x000001FE68575000-memory.dmp

memory/1280-588-0x000001FE68570000-0x000001FE68572000-memory.dmp

memory/3932-616-0x0000000000000000-mapping.dmp

memory/1280-623-0x000001FE68578000-0x000001FE68579000-memory.dmp

memory/1280-622-0x000001FE68576000-0x000001FE68578000-memory.dmp

memory/3932-624-0x00000252B2880000-0x00000252B2882000-memory.dmp

memory/3932-625-0x00000252B2883000-0x00000252B2885000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bf362ac480782cf70c620a1ce33210ce
SHA1 98a249905582cd874e6921cb10d4a8dabc478bb6
SHA256 5ce8e41fb5cd1a31acb5fb4990318d0b71488cbe2fa265f096686bd128dddde7
SHA512 ed1d0c355c841cf29a6c44bdfa8b3eb3bc21e14aa6dd4a85929a43c2a3dcec050fce5d3658ba9adc3eb60eef1b5a270c65ddc61c9eaf2863bc271e17a0da6d3c

memory/3932-658-0x00000252B2886000-0x00000252B2888000-memory.dmp

memory/3932-659-0x00000252B2888000-0x00000252B2889000-memory.dmp

memory/1428-660-0x0000000000000000-mapping.dmp

memory/1544-661-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

memory/3676-667-0x0000000000000000-mapping.dmp

memory/3436-668-0x0000000000000000-mapping.dmp

memory/1544-669-0x0000000001A10000-0x0000000001A12000-memory.dmp

memory/3596-670-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/2384-672-0x0000000000000000-mapping.dmp

memory/904-673-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services32.exe.log

MD5 d78293ab15ad25b5d6e8740fe5fd3872
SHA1 51b70837f90f2bff910daee706e6be8d62a3550e
SHA256 4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3
SHA512 1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

memory/3596-676-0x00007FF668940000-0x00007FF668941000-memory.dmp

memory/3132-678-0x0000000000000000-mapping.dmp

memory/3692-679-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 18b773011614a92923bcc1f01e99e87d
SHA1 a73beab07ae3d0a014d77807691464dab05556c5
SHA256 bd4d577e052168657f413d86146d4cd2239ec7e275431e9af02711e930ecaa12
SHA512 0763d55b0eec25f24dae48571fb3f48c289869bb83b82d9ccfa9259337157481c3a6e7c4fe7f590baff50e1ebde8d39f4a30932bccb7ae66627cb139ee050ba5

memory/3596-692-0x00007FFA00000000-0x00007FFA00002000-memory.dmp

memory/3596-694-0x00000000034C0000-0x00000000034C2000-memory.dmp

memory/3596-693-0x00007FFA00030000-0x00007FFA00031000-memory.dmp

memory/3692-696-0x0000016BD8B73000-0x0000016BD8B75000-memory.dmp

memory/3692-695-0x0000016BD8B70000-0x0000016BD8B72000-memory.dmp

memory/2692-722-0x0000000000000000-mapping.dmp

memory/3692-729-0x0000016BD8B76000-0x0000016BD8B78000-memory.dmp

memory/3692-730-0x0000016BD8B78000-0x0000016BD8B79000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 111716d0739fe91fe67aec71a17026ba
SHA1 98177a8daccdb0c7427e8e99901a64ea0329ad5d
SHA256 4593de0c3a51c5441dfb5d1c452ec911dd99dd381e4be7aa172cfc87c48517d4
SHA512 fbebdf24784279dd4b9e2df74fe6cc1d6550996f968fb9f29b6084ccc7e7fe86d793a5be1896b9bb995f72a6085eb5c25a6a57258836e597a2fb95f86c850520

memory/3208-764-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c283344f3f03a3005b0833681b8cb2e1
SHA1 c7545125a9ab1f110f73ae05f955676e4b68d5c6
SHA256 e1b5ade73ea754c0364ed8f7ca688b2e04d496ab7db14f6bc4102e02b3c3ba9b
SHA512 88deb5d4011840f47100a54d547765382e35728a606c794cfddd13c9ee1406e6589689c949cf2213874ba30394a3b6e3cf82f26f2b6f90f7c03a1a1b6e8b0297

memory/2168-807-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9e3e92c1e84cb096c096d8dd7a25e645
SHA1 71d9ac3d27e7071ffaba147353b753097df1fd50
SHA256 4fb3fde582f04844647da18fd0bff801198ef827447ed9bec370fd06991a3812
SHA512 11a39ef0262549108d8e94954cc2dc2f3ef295ad24fb0eedd73a95738c90eb3b6018019e9ff28d8b55fbc4e42bcdd9c76ad4491e28430977571bab68ac25dde0

memory/4572-850-0x0000000000000000-mapping.dmp

memory/3672-851-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 acc8d4e1ebe2a80fdddfccc9f1a023c1
SHA1 844b925ac0bf210a6b3cff6042f03fc37e958193
SHA256 051fd9088d21f0a61b2442f4a1d9835c98c6198d09aaa2671cacccd26ec2fafe
SHA512 c13f73565eed5850236ff3da9c333d7359a591c1569d8e70f1d6c3bfe38891cd5450ba24de5f6e92b1401c412d8f8219ef25b4956973e0f92b6bfe4575885070

memory/1328-857-0x0000000000000000-mapping.dmp

memory/1440-859-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 812beec5864b07c7731ef249ea507f80
SHA1 b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA256 76431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA512 87afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 812beec5864b07c7731ef249ea507f80
SHA1 b3e676a95d1fb0a37bc6cf68d265fb0978203cb7
SHA256 76431f8d6eb79586cf18b7fe473970f043ea4774c44abd8212dabfe2936df8e2
SHA512 87afd83e7ef4196ec0d950a3f7cc230670acfbc89b7b8b56052005c4150a628928f592d257e64601433b70708014d67d800d4e3e25c66616540063cd07e82cf2

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 b4660eb00a0bda6878645d6a4d73f1b0
SHA1 7dde0bb3008f5f8f0a38ad891da8902e7b3713b2
SHA256 44d2f8c798594a326b6b66d3a0a611acb6b847ab3225579055bcc6605bff4b67
SHA512 a1de8d764aba5164ca7ae4b113f104953afe3a2b5eb07bc60b18d6eecc532ded29e65a21ab185c406a08c45a843a23441ee8fd0ba438dd01014cbed11b586dcc

memory/1752-865-0x0000000000000000-mapping.dmp

memory/3436-866-0x0000000000000000-mapping.dmp

memory/1616-867-0x0000000000000000-mapping.dmp