Malware Analysis Report

2025-04-03 08:59

Sample ID 230125-vnnp2saf21
Target libreoffice_out.exe
SHA256 c0b6a90bb020f1795ae0c9eacf27dd940a69ca694670c1eb6afdcb65edb9e59b
Tags
discovery evasion persistence spyware stealer trojan aurora redline redline infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0b6a90bb020f1795ae0c9eacf27dd940a69ca694670c1eb6afdcb65edb9e59b

Threat Level: Known bad

The file libreoffice_out.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan aurora redline redline infostealer

RedLine

Aurora

UAC bypass

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-25 17:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-25 17:08

Reported

2023-01-25 17:10

Platform

win7-20220901-en

Max time kernel

107s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Eupdgebosk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gzjkqcsse\\Eupdgebosk.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A eth0.me N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1936 set thread context of 1316 N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe
PID 1272 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe
PID 1272 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe
PID 1272 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe
PID 1272 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1272 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1272 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1272 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1272 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1272 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1272 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1272 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1680 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1680 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe
PID 1576 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe
PID 1576 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe

"C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe"

C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 installmarkets.lol udp
N/A 188.114.96.0:443 installmarkets.lol tcp
N/A 8.8.8.8:53 apps.identrust.com udp
N/A 88.221.25.169:80 apps.identrust.com tcp
N/A 35.230.153.115:15647 tcp
N/A 8.8.8.8:53 pastebin.com udp
N/A 104.20.68.143:443 pastebin.com tcp
N/A 34.142.80.219:15647 tcp
N/A 8.8.8.8:53 eth0.me udp
N/A 5.132.162.27:80 eth0.me tcp

Files

memory/1272-54-0x0000000000380000-0x00000000003E8000-memory.dmp

memory/1272-55-0x0000000075931000-0x0000000075933000-memory.dmp

memory/1272-56-0x0000000004E95000-0x0000000004EA6000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe

MD5 797de7a7866e24d84c92c16337a18a04
SHA1 3d6511a658bcc2604a1da05e89d78021fd070d29
SHA256 50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421
SHA512 c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

memory/1936-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe

MD5 797de7a7866e24d84c92c16337a18a04
SHA1 3d6511a658bcc2604a1da05e89d78021fd070d29
SHA256 50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421
SHA512 c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

memory/1936-63-0x0000000000F20000-0x00000000010D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

memory/1680-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

memory/1576-72-0x0000000004BF0000-0x0000000004EFA000-memory.dmp

memory/1680-71-0x0000000000330000-0x0000000000498000-memory.dmp

memory/1680-74-0x0000000004950000-0x0000000004AB4000-memory.dmp

memory/1936-73-0x00000000048E0000-0x0000000004A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

memory/1576-66-0x00000000003D0000-0x00000000006DE000-memory.dmp

memory/1576-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe

MD5 797de7a7866e24d84c92c16337a18a04
SHA1 3d6511a658bcc2604a1da05e89d78021fd070d29
SHA256 50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421
SHA512 c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

memory/1680-75-0x0000000001FB0000-0x0000000002042000-memory.dmp

memory/1272-76-0x0000000004E95000-0x0000000004EA6000-memory.dmp

memory/2016-81-0x0000000000000000-mapping.dmp

memory/2044-80-0x0000000000000000-mapping.dmp

memory/1968-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 039133df02434a487d022265a2ff00b9
SHA1 15c04a04bebe6ef9eac284fbb1641b2f965f688b
SHA256 6fb6d7bf88ef357ceb1a639a62d07a5cf337df779fda4d266f96d569e9635afe
SHA512 fe66931146f910ed39b755439882377bca21fb2690edbd51d71582904ee6a4f942fe0ae6e417160be375c546b0b521a7322e990dddcf23c9f4d23c651c292218

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 039133df02434a487d022265a2ff00b9
SHA1 15c04a04bebe6ef9eac284fbb1641b2f965f688b
SHA256 6fb6d7bf88ef357ceb1a639a62d07a5cf337df779fda4d266f96d569e9635afe
SHA512 fe66931146f910ed39b755439882377bca21fb2690edbd51d71582904ee6a4f942fe0ae6e417160be375c546b0b521a7322e990dddcf23c9f4d23c651c292218

memory/2016-88-0x0000000070EB0000-0x000000007145B000-memory.dmp

memory/2044-89-0x0000000070EB0000-0x000000007145B000-memory.dmp

memory/1968-90-0x0000000070EB0000-0x000000007145B000-memory.dmp

memory/2016-91-0x0000000070EB0000-0x000000007145B000-memory.dmp

memory/2044-92-0x0000000070EB0000-0x000000007145B000-memory.dmp

memory/1968-93-0x0000000070EB0000-0x000000007145B000-memory.dmp

memory/2044-95-0x0000000070EB0000-0x000000007145B000-memory.dmp

memory/2016-94-0x0000000070EB0000-0x000000007145B000-memory.dmp

memory/1968-96-0x0000000070EB0000-0x000000007145B000-memory.dmp

memory/1576-98-0x0000000005F80000-0x0000000006170000-memory.dmp

memory/1680-97-0x0000000004380000-0x00000000043CA000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

memory/1936-139-0x0000000005230000-0x00000000052C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe

MD5 797de7a7866e24d84c92c16337a18a04
SHA1 3d6511a658bcc2604a1da05e89d78021fd070d29
SHA256 50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421
SHA512 c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

\Users\Admin\AppData\Local\Temp\tmp390B.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

C:\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

memory/1316-141-0x0000000000400000-0x00000000004A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmp393B.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

memory/1316-142-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1316-145-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1316-146-0x0000000000400000-0x00000000004A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp38EB.tmp.exe

MD5 797de7a7866e24d84c92c16337a18a04
SHA1 3d6511a658bcc2604a1da05e89d78021fd070d29
SHA256 50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421
SHA512 c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

memory/1316-150-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1316-147-0x00000000004A0E0E-mapping.dmp

memory/1316-144-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1316-152-0x0000000000400000-0x00000000004A6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-25 17:08

Reported

2023-01-25 17:10

Platform

win10v2004-20220812-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe"

Signatures

Aurora

stealer aurora

RedLine

infostealer redline

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eupdgebosk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gzjkqcsse\\Eupdgebosk.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A eth0.me N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 3092 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 3092 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 3092 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 3092 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 3092 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 3092 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 3092 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 3092 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 4160 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 1224 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 1224 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 1224 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 1224 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 1224 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 1224 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 1224 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
PID 4648 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4160 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4160 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4160 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
PID 2196 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2196 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2196 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2196 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1132 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1132 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2196 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe

"C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe"

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3092 -ip 3092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /im chrome.exe /f

Network

Country Destination Domain Proto
N/A 142.250.179.163:443 tcp
N/A 8.8.8.8:53 installmarkets.lol udp
N/A 188.114.97.0:443 installmarkets.lol tcp
N/A 79.137.133.225:25999 tcp
N/A 79.137.133.225:8081 tcp
N/A 35.230.153.115:15647 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 pastebin.com udp
N/A 104.20.67.143:443 pastebin.com tcp
N/A 34.107.148.139:443 tcp
N/A 130.211.23.194:443 tcp
N/A 35.201.96.126:443 tcp
N/A 34.142.80.219:15647 tcp
N/A 8.8.8.8:53 eth0.me udp
N/A 5.132.162.27:80 eth0.me tcp
N/A 34.111.129.221:443 tcp
N/A 34.142.80.219:15647 tcp

Files

memory/3092-132-0x0000000000B40000-0x0000000000BA8000-memory.dmp

memory/3092-133-0x0000000005AF0000-0x0000000006094000-memory.dmp

memory/3092-134-0x00000000055E0000-0x0000000005672000-memory.dmp

memory/3092-135-0x0000000005560000-0x000000000556A000-memory.dmp

memory/3092-136-0x0000000008EF0000-0x0000000008F56000-memory.dmp

memory/4160-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe

MD5 797de7a7866e24d84c92c16337a18a04
SHA1 3d6511a658bcc2604a1da05e89d78021fd070d29
SHA256 50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421
SHA512 c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe

MD5 797de7a7866e24d84c92c16337a18a04
SHA1 3d6511a658bcc2604a1da05e89d78021fd070d29
SHA256 50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421
SHA512 c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

memory/4648-141-0x0000000000000000-mapping.dmp

memory/4160-140-0x00000000008F0000-0x0000000000AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

memory/1224-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

memory/4648-147-0x0000000000760000-0x0000000000A6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

memory/1224-148-0x0000000000A80000-0x0000000000BE8000-memory.dmp

memory/4160-149-0x0000000005730000-0x0000000005752000-memory.dmp

memory/4168-150-0x0000000000000000-mapping.dmp

memory/4488-151-0x0000000000000000-mapping.dmp

memory/4192-152-0x0000000000000000-mapping.dmp

memory/4168-153-0x0000000003120000-0x0000000003156000-memory.dmp

memory/4488-154-0x0000000004EE0000-0x0000000005508000-memory.dmp

memory/4168-155-0x0000000006040000-0x00000000060A6000-memory.dmp

memory/4192-156-0x00000000067A0000-0x00000000067BE000-memory.dmp

memory/4192-157-0x0000000007F30000-0x00000000085AA000-memory.dmp

memory/4488-158-0x0000000005FD0000-0x0000000005FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e90539d1482041623063aa488ea1ae61
SHA1 73412d7fc7df29c5cec8387f13409295eba3f8cd
SHA256 c13f1d551bb5a8133603cf647dc48b20dc11304c0ea56bf07f2c2005a53afdb3
SHA512 88e57fc43af2c4c9efe40e070a85ea112e55c032a8317e59ec7044692de6203f27717e992de2f2d0670ff5aaef3db3f1666d818e91222ebb06ce891c568ab5ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d866971e455fbc76649622f0208db697
SHA1 321a902192f7006784a9559ce2133f5c7b26a4ff
SHA256 3d4f81b55b5bfd0505988a3a47118c2b023a3b5c475471dbbe4c304d2afc04bd
SHA512 b0c65f31eeb032f96e078e087427edadb02c23a1bf9f6fad3c8b81c4cd9cdddf38ded3b2e90965bcef18072ee88362fe88eaa66e6fbc1f6a90747d38392c92b4

memory/452-165-0x0000000000400000-0x0000000000432000-memory.dmp

memory/452-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

memory/2536-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

memory/4028-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe

MD5 797de7a7866e24d84c92c16337a18a04
SHA1 3d6511a658bcc2604a1da05e89d78021fd070d29
SHA256 50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421
SHA512 c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

memory/2196-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe

MD5 da2eeffeaafc33c43e23d4225cdc959c
SHA1 6673a54930e9e9f476f329d77987e95432f57d9e
SHA256 d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166
SHA512 8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

memory/3120-178-0x0000000000000000-mapping.dmp

memory/452-177-0x0000000005C40000-0x0000000006258000-memory.dmp

memory/2196-179-0x0000000000400000-0x0000000000876000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe

MD5 797de7a7866e24d84c92c16337a18a04
SHA1 3d6511a658bcc2604a1da05e89d78021fd070d29
SHA256 50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421
SHA512 c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

memory/452-183-0x00000000056F0000-0x0000000005702000-memory.dmp

memory/2196-184-0x0000000000400000-0x0000000000876000-memory.dmp

memory/452-185-0x0000000005750000-0x000000000578C000-memory.dmp

memory/452-181-0x00000000057C0000-0x00000000058CA000-memory.dmp

memory/3120-180-0x0000000000400000-0x00000000004A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe

MD5 9805cbb5c6c6b590b22efa323b8334b5
SHA1 64bc5664c277cbe047d994c77007dd94a2376a46
SHA256 fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94
SHA512 69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

memory/2196-174-0x0000000000400000-0x0000000000876000-memory.dmp

memory/2052-166-0x0000000000000000-mapping.dmp

memory/4008-186-0x0000000000000000-mapping.dmp

memory/1132-187-0x0000000000000000-mapping.dmp

memory/4880-188-0x0000000000000000-mapping.dmp

memory/2388-189-0x0000000000000000-mapping.dmp

memory/972-190-0x0000000000000000-mapping.dmp

memory/452-191-0x0000000007190000-0x0000000007352000-memory.dmp

memory/452-192-0x00000000080A0000-0x00000000085CC000-memory.dmp

memory/452-193-0x0000000007110000-0x0000000007186000-memory.dmp

memory/452-194-0x0000000007360000-0x00000000073B0000-memory.dmp

memory/2196-195-0x0000000000400000-0x0000000000876000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp98EB.tmp.exe.log

MD5 7200fb09b34d23375c2cff85323af4a4
SHA1 0994a0ab70a6f6c8c45b4664bed926779fbd5c2e
SHA256 e065d81294bae8c8404e57ce5d9d4db68472cefac1469e49f2e73671a4315e15
SHA512 417451e2279b9f1861d317edd8a517a7bb6d1e505c23fb89a16662059d23fbd789223b061ea73217d2042a2221f998c093928a28fd6d8054f53fa174f5dd02de

memory/3120-197-0x0000000006D80000-0x0000000006D9E000-memory.dmp

memory/4112-198-0x0000000000000000-mapping.dmp