Malware Analysis Report

2024-10-16 05:07

Sample ID 231013-d9qm4ach8s
Target 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e
SHA256 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e
Tags
ammyyadmin flawedammyy rhadamanthys smokeloader backdoor bootkit collection persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e

Threat Level: Known bad

The file 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy rhadamanthys smokeloader backdoor bootkit collection persistence rat stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Ammyy Admin

SmokeLoader

Detect rhadamanthys stealer shellcode

FlawedAmmyy RAT

Rhadamanthys

AmmyyAdmin payload

Blocklisted process makes network request

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Writes to the Master Boot Record (MBR)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Program crash

outlook_win_path

outlook_office_path

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-13 03:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 03:42

Reported

2023-10-18 03:14

Platform

win7-20230831-en

Max time kernel

150s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

FlawedAmmyy RAT

trojan flawedammyy

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2260 created 1428 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\Explorer.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3C84.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3C84.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3E87.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 2024 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 2260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe
PID 2260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe
PID 2260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe
PID 2260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe
PID 2260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe
PID 2260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe
PID 2592 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2692 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe
PID 2692 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe
PID 2692 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe
PID 2692 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe
PID 2592 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2692 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe
PID 2592 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2692 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe
PID 2592 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2592 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe
PID 2692 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe
PID 1428 wrote to memory of 2300 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3C84.exe
PID 1428 wrote to memory of 2300 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3C84.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe

"C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe"

C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe

C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe

"C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe"

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

"C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe"

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe

C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

C:\Users\Admin\AppData\Local\Temp\3C84.exe

C:\Users\Admin\AppData\Local\Temp\3C84.exe

C:\Users\Admin\AppData\Local\Temp\3C84.exe

C:\Users\Admin\AppData\Local\Temp\3C84.exe

C:\Users\Admin\AppData\Local\Temp\3E87.exe

C:\Users\Admin\AppData\Local\Temp\3E87.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 164

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\3E87.exe

"C:\Users\Admin\AppData\Local\Temp\3E87.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe -debug

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\aa_nts.dll",run

Network

Country Destination Domain Proto
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 servermlogs27.xyz udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 zamned17.xyz udp
DE 5.182.207.92:80 zamned17.xyz tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
DE 85.10.193.215:80 tcp

Files

memory/2024-0-0x00000000011B0000-0x000000000122E000-memory.dmp

memory/2024-1-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/2024-2-0x00000000048B0000-0x0000000004928000-memory.dmp

memory/2024-3-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/2024-4-0x0000000004930000-0x0000000004998000-memory.dmp

memory/2024-5-0x0000000000900000-0x000000000094C000-memory.dmp

memory/2260-6-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2260-8-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2260-9-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2260-11-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2260-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2260-15-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2024-18-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/2260-17-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2260-19-0x0000000000200000-0x0000000000207000-memory.dmp

memory/2260-20-0x0000000000A70000-0x0000000000E70000-memory.dmp

memory/2260-22-0x0000000000A70000-0x0000000000E70000-memory.dmp

memory/2260-21-0x0000000000A70000-0x0000000000E70000-memory.dmp

memory/2260-23-0x0000000000A70000-0x0000000000E70000-memory.dmp

memory/2788-24-0x00000000000E0000-0x00000000000E3000-memory.dmp

memory/2788-25-0x00000000000E0000-0x00000000000E3000-memory.dmp

memory/2260-26-0x0000000000480000-0x00000000004B6000-memory.dmp

memory/2260-32-0x0000000000480000-0x00000000004B6000-memory.dmp

memory/2260-33-0x0000000000A70000-0x0000000000E70000-memory.dmp

memory/2260-34-0x0000000000A70000-0x0000000000E70000-memory.dmp

memory/2788-36-0x00000000003A0000-0x00000000003A7000-memory.dmp

memory/2788-37-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-47-0x0000000077310000-0x00000000774B9000-memory.dmp

memory/2788-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-51-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2788-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe

MD5 4a97cfd7be5c68006c2e09dd71343ecd
SHA1 db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA256 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512 a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe

MD5 4a97cfd7be5c68006c2e09dd71343ecd
SHA1 db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA256 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512 a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

memory/2692-57-0x0000000000970000-0x00000000009D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/2592-61-0x0000000000990000-0x00000000009D0000-memory.dmp

memory/2788-62-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2592-64-0x0000000000A40000-0x0000000000A7E000-memory.dmp

memory/2692-63-0x00000000005B0000-0x00000000005F4000-memory.dmp

memory/2592-66-0x0000000073C10000-0x00000000742FE000-memory.dmp

memory/2692-68-0x00000000002D0000-0x0000000000302000-memory.dmp

memory/2788-69-0x0000000077310000-0x00000000774B9000-memory.dmp

memory/2592-70-0x00000000048E0000-0x0000000004920000-memory.dmp

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/2592-99-0x0000000073C10000-0x00000000742FE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\t02)]YevbT.exe

MD5 4a97cfd7be5c68006c2e09dd71343ecd
SHA1 db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA256 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512 a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

memory/2692-101-0x0000000073C10000-0x00000000742FE000-memory.dmp

memory/1928-100-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1928-97-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/1928-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/1928-82-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/1928-76-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/2692-67-0x00000000049D0000-0x0000000004A10000-memory.dmp

memory/2592-65-0x0000000000650000-0x000000000067C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\%}uK9eybr.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/2692-59-0x0000000073C10000-0x00000000742FE000-memory.dmp

memory/2788-102-0x00000000003A0000-0x00000000003A2000-memory.dmp

memory/2788-103-0x0000000077310000-0x00000000774B9000-memory.dmp

memory/1428-104-0x0000000002790000-0x00000000027A6000-memory.dmp

memory/1928-105-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

C:\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

memory/2300-120-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/2300-119-0x0000000000A40000-0x0000000000A8E000-memory.dmp

memory/2300-121-0x00000000007F0000-0x0000000000836000-memory.dmp

memory/2300-122-0x0000000002130000-0x0000000002170000-memory.dmp

memory/2300-123-0x0000000000970000-0x00000000009A4000-memory.dmp

memory/2852-125-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

C:\Users\Admin\AppData\Local\Temp\3E87.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/2032-135-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/2032-133-0x00000000003E0000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E87.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/2852-136-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2852-138-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2852-140-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2852-129-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2852-147-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

memory/2300-148-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/2852-144-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2852-142-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2852-127-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2032-149-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

memory/2032-156-0x00000000005C0000-0x0000000000602000-memory.dmp

\Users\Admin\AppData\Local\Temp\3C84.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

memory/1048-159-0x00000000000D0000-0x000000000013B000-memory.dmp

memory/1048-160-0x00000000001A0000-0x0000000000215000-memory.dmp

memory/1048-161-0x00000000000D0000-0x000000000013B000-memory.dmp

memory/1048-174-0x00000000000D0000-0x000000000013B000-memory.dmp

memory/976-176-0x0000000000070000-0x0000000000077000-memory.dmp

memory/976-177-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2904-179-0x00000000000D0000-0x00000000000D4000-memory.dmp

memory/2904-180-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1692-183-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2032-184-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/1692-182-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2032-185-0x00000000007C0000-0x00000000007DA000-memory.dmp

memory/2032-186-0x0000000000770000-0x0000000000776000-memory.dmp

\Users\Admin\AppData\Local\Temp\3E87.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/2860-200-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2032-202-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2860-203-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2932-205-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2932-206-0x0000000000060000-0x000000000006F000-memory.dmp

memory/828-208-0x00000000000D0000-0x00000000000D5000-memory.dmp

memory/828-209-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2068-210-0x0000000000070000-0x0000000000076000-memory.dmp

memory/2068-212-0x0000000000060000-0x000000000006C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\Cab8A86.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar8AF6.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fba3c6e54615dc06f7cdfa97c8c01690
SHA1 6acf066196f9b6b846a842b4a7886e5faa90291c
SHA256 86cd229faa7d291fb4281b508f3d99384e55f3e0f58a56e4b302d29cc6ff0dbc
SHA512 666233846cf61379f17f7a39349a17b2306b70e143e3c30dccfdac1f2a1a086d555ecb397c6fd7855112cc0b5ec58b513e527e677578d547a0a44a1712d273f0

C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

\Users\Admin\AppData\Local\Temp\7CFD.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

\Users\Admin\AppData\Local\Temp\7CFD.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

\Users\Admin\AppData\Local\Temp\7CFD.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

\Users\Admin\AppData\Local\Temp\7CFD.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\aa_nts.msg

MD5 3f05819f995b4dafa1b5d55ce8d1f411
SHA1 404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA256 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA512 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

C:\Users\Admin\AppData\Local\Temp\3E87.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-13 03:42

Reported

2023-10-18 03:16

Platform

win10v2004-20230915-en

Max time kernel

137s

Max time network

160s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3656 created 2684 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\Explorer.EXE

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 436 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 436 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 436 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 436 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 436 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 436 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 436 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 436 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
PID 3656 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe
PID 3656 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe
PID 3656 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe
PID 3656 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe C:\Windows\system32\certreq.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe

"C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe"

C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe

C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

memory/436-0-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/436-1-0x0000000000940000-0x00000000009BE000-memory.dmp

memory/436-2-0x0000000005A20000-0x0000000005FC4000-memory.dmp

memory/436-3-0x0000000005380000-0x00000000053F8000-memory.dmp

memory/436-4-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/436-5-0x0000000005570000-0x00000000055D8000-memory.dmp

memory/436-6-0x0000000005600000-0x000000000564C000-memory.dmp

memory/3656-7-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3656-10-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3656-11-0x0000000000400000-0x0000000000473000-memory.dmp

memory/436-12-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/3656-13-0x0000000000BE0000-0x0000000000BE7000-memory.dmp

memory/3656-14-0x0000000002880000-0x0000000002C80000-memory.dmp

memory/3656-15-0x0000000002880000-0x0000000002C80000-memory.dmp

memory/3656-16-0x0000000002880000-0x0000000002C80000-memory.dmp

memory/3656-17-0x0000000002880000-0x0000000002C80000-memory.dmp

memory/4760-18-0x0000021B09EC0000-0x0000021B09EC3000-memory.dmp

memory/3656-19-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3656-20-0x00000000036B0000-0x00000000036E6000-memory.dmp

memory/3656-26-0x00000000036B0000-0x00000000036E6000-memory.dmp

memory/3656-27-0x0000000002880000-0x0000000002C80000-memory.dmp

memory/3656-28-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3656-29-0x0000000002880000-0x0000000002C80000-memory.dmp

memory/4760-30-0x0000021B09EC0000-0x0000021B09EC3000-memory.dmp

memory/4760-31-0x0000021B0A280000-0x0000021B0A287000-memory.dmp

memory/4760-32-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-33-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-34-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-35-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-36-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-38-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-41-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-40-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-42-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-43-0x00007FFE54A50000-0x00007FFE54C45000-memory.dmp

memory/4760-44-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-45-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-46-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-47-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-48-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-49-0x00007FFE54A50000-0x00007FFE54C45000-memory.dmp

memory/4760-50-0x00007FF4C0FC0000-0x00007FF4C10EF000-memory.dmp

memory/4760-51-0x0000021B0A280000-0x0000021B0A285000-memory.dmp

memory/4760-52-0x00007FFE54A50000-0x00007FFE54C45000-memory.dmp