Malware Analysis Report

2025-01-18 05:36

Sample ID 231015-1ynqpaad5y
Target 6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63
SHA256 6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor discovery dropper evasion infostealer loader ransomware themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63

Threat Level: Known bad

The file 6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor discovery dropper evasion infostealer loader ransomware themida trojan upx

Djvu Ransomware

RedLine payload

Amadey

Glupteba payload

Detected Djvu ransomware

SmokeLoader

Glupteba

RedLine

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Themida packer

Modifies file permissions

UPX packed file

Executes dropped EXE

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 22:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 22:03

Reported

2023-10-15 22:07

Platform

win10v2004-20230915-en

Max time kernel

58s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4328 set thread context of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 772 wrote to memory of 4328 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 772 wrote to memory of 4328 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 772 wrote to memory of 4328 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 4328 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\4C85.exe C:\Users\Admin\AppData\Local\Temp\4C85.exe
PID 772 wrote to memory of 4536 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F06.exe
PID 772 wrote to memory of 4536 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F06.exe
PID 772 wrote to memory of 4536 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F06.exe
PID 772 wrote to memory of 4440 N/A N/A C:\Users\Admin\AppData\Local\Temp\51D6.exe
PID 772 wrote to memory of 4440 N/A N/A C:\Users\Admin\AppData\Local\Temp\51D6.exe
PID 772 wrote to memory of 4440 N/A N/A C:\Users\Admin\AppData\Local\Temp\51D6.exe
PID 772 wrote to memory of 4224 N/A N/A C:\Windows\system32\regsvr32.exe
PID 772 wrote to memory of 4224 N/A N/A C:\Windows\system32\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe

"C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe"

C:\Users\Admin\AppData\Local\Temp\4C85.exe

C:\Users\Admin\AppData\Local\Temp\4C85.exe

C:\Users\Admin\AppData\Local\Temp\4C85.exe

C:\Users\Admin\AppData\Local\Temp\4C85.exe

C:\Users\Admin\AppData\Local\Temp\4F06.exe

C:\Users\Admin\AppData\Local\Temp\4F06.exe

C:\Users\Admin\AppData\Local\Temp\51D6.exe

C:\Users\Admin\AppData\Local\Temp\51D6.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\564C.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\564C.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 140

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\89b1b021-d74a-4be0-8bbb-ca903573828a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5F84.exe

C:\Users\Admin\AppData\Local\Temp\5F84.exe

C:\Users\Admin\AppData\Local\Temp\63DB.exe

C:\Users\Admin\AppData\Local\Temp\63DB.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\6CE4.exe

C:\Users\Admin\AppData\Local\Temp\6CE4.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\4C85.exe

"C:\Users\Admin\AppData\Local\Temp\4C85.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\4C85.exe

"C:\Users\Admin\AppData\Local\Temp\4C85.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4124 -ip 4124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\6CE4.exe

"C:\Users\Admin\AppData\Local\Temp\6CE4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\grrhfnlxagtw.xml"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
US 8.8.8.8:53 147.209.33.14.in-addr.arpa udp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
US 8.8.8.8:53 wirtshauspost.at udp
US 8.8.8.8:53 wirtshauspost.at udp
MK 95.86.30.3:80 wirtshauspost.at tcp
US 8.8.8.8:53 3.30.86.95.in-addr.arpa udp
US 8.8.8.8:53 49b3989f-a9d0-4c7c-91e8-4875d2217f28.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 server3.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/3488-1-0x0000000000720000-0x0000000000820000-memory.dmp

memory/3488-2-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3488-3-0x0000000000710000-0x000000000071B000-memory.dmp

memory/3488-5-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/772-4-0x0000000002B00000-0x0000000002B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C85.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\4C85.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/4328-19-0x00000000048F0000-0x000000000498F000-memory.dmp

memory/1916-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C85.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\4F06.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

C:\Users\Admin\AppData\Local\Temp\4F06.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/4328-21-0x0000000004990000-0x0000000004AAB000-memory.dmp

memory/1916-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4536-28-0x00000000006F0000-0x0000000000E70000-memory.dmp

memory/1916-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1916-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\51D6.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\51D6.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\564C.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Local\Temp\564C.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/4724-39-0x0000000000400000-0x000000000043E000-memory.dmp

memory/448-40-0x0000000000C50000-0x0000000000C56000-memory.dmp

memory/448-41-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/4724-43-0x0000000073730000-0x0000000073EE0000-memory.dmp

memory/4724-47-0x0000000007BF0000-0x0000000008194000-memory.dmp

memory/4724-50-0x00000000076E0000-0x0000000007772000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F84.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4724-58-0x0000000007690000-0x00000000076A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F84.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4724-62-0x0000000007880000-0x000000000788A000-memory.dmp

memory/4724-63-0x00000000087C0000-0x0000000008DD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\63DB.exe

MD5 2904eb1a3acfc85cdae1ccde6adfeeab
SHA1 23b4dfea8ef38206792033cb784644967ac79f49
SHA256 f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA512 16b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25

memory/4724-73-0x0000000007950000-0x0000000007962000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4724-75-0x00000000079B0000-0x00000000079EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\63DB.exe

MD5 2904eb1a3acfc85cdae1ccde6adfeeab
SHA1 23b4dfea8ef38206792033cb784644967ac79f49
SHA256 f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA512 16b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25

memory/4724-70-0x0000000007A20000-0x0000000007B2A000-memory.dmp

memory/4724-79-0x0000000007B30000-0x0000000007B7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3608-80-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/3608-81-0x0000000000650000-0x000000000065B000-memory.dmp

memory/3608-82-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/4536-83-0x00000000006F0000-0x0000000000E70000-memory.dmp

memory/1916-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4536-87-0x0000000076C10000-0x0000000076D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6CE4.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\6CE4.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4536-93-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/4536-94-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/4536-91-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/4536-95-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/4884-98-0x0000000000A90000-0x0000000000AFB000-memory.dmp

memory/4536-99-0x0000000077BF4000-0x0000000077BF6000-memory.dmp

memory/4536-96-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/4884-100-0x0000000000B00000-0x0000000000B75000-memory.dmp

memory/4536-103-0x00000000006F0000-0x0000000000E70000-memory.dmp

memory/4980-106-0x0000000000D70000-0x0000000000D77000-memory.dmp

memory/4724-104-0x0000000073730000-0x0000000073EE0000-memory.dmp

memory/1548-111-0x0000000004CC0000-0x00000000050C0000-memory.dmp

memory/1548-116-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/4536-115-0x00000000055F0000-0x000000000568C000-memory.dmp

memory/4980-110-0x0000000000D60000-0x0000000000D6C000-memory.dmp

memory/4980-105-0x0000000000D60000-0x0000000000D6C000-memory.dmp

memory/1548-134-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\89b1b021-d74a-4be0-8bbb-ca903573828a\4C85.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/4884-136-0x0000000000A90000-0x0000000000AFB000-memory.dmp

memory/772-137-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

memory/3608-139-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C85.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1916-141-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4724-145-0x0000000007690000-0x00000000076A0000-memory.dmp

memory/448-147-0x0000000002790000-0x00000000028B3000-memory.dmp

memory/448-148-0x0000000010000000-0x00000000101E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C85.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/4124-153-0x0000000000400000-0x0000000000537000-memory.dmp

memory/448-152-0x00000000028C0000-0x00000000029C8000-memory.dmp

memory/4124-155-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4124-151-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2176-146-0x00000000047C0000-0x000000000485B000-memory.dmp

memory/448-156-0x00000000028C0000-0x00000000029C8000-memory.dmp

memory/448-158-0x00000000028C0000-0x00000000029C8000-memory.dmp

memory/4724-159-0x0000000008370000-0x00000000083D6000-memory.dmp

memory/4536-160-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/4536-161-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/448-164-0x00000000028C0000-0x00000000029C8000-memory.dmp

memory/4724-165-0x00000000091B0000-0x0000000009200000-memory.dmp

memory/4536-166-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/4536-167-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/4536-168-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/1952-170-0x0000000002960000-0x0000000002996000-memory.dmp

memory/4536-169-0x0000000076C10000-0x0000000076D00000-memory.dmp

memory/1952-171-0x0000000073730000-0x0000000073EE0000-memory.dmp

memory/1952-172-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/1952-173-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/1952-174-0x0000000005280000-0x00000000058A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlufldpk.qs0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1952-175-0x0000000005090000-0x00000000050B2000-memory.dmp

memory/1952-181-0x00000000058B0000-0x0000000005916000-memory.dmp

memory/1952-186-0x0000000005A90000-0x0000000005DE4000-memory.dmp

memory/1952-187-0x0000000005F70000-0x0000000005F8E000-memory.dmp

memory/1952-188-0x00000000070F0000-0x0000000007134000-memory.dmp

memory/1548-189-0x0000000004CC0000-0x00000000050C0000-memory.dmp

memory/1952-191-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/1548-190-0x00000000050C0000-0x00000000059AB000-memory.dmp

memory/1548-197-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4536-224-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-236-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-238-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-240-0x0000000005830000-0x0000000005845000-memory.dmp

memory/1088-241-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4536-234-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-232-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-230-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-228-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-226-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-222-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-220-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-218-0x0000000005830000-0x0000000005845000-memory.dmp

memory/4536-217-0x0000000005830000-0x0000000005845000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

memory/1248-270-0x00007FF6FF6C0000-0x00007FF7008F9000-memory.dmp

memory/1248-273-0x00007FF6FF6C0000-0x00007FF7008F9000-memory.dmp

memory/1248-274-0x00007FF6FF6C0000-0x00007FF7008F9000-memory.dmp

memory/1248-275-0x00007FF6FF6C0000-0x00007FF7008F9000-memory.dmp

memory/1548-276-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\wjasrui

MD5 2904eb1a3acfc85cdae1ccde6adfeeab
SHA1 23b4dfea8ef38206792033cb784644967ac79f49
SHA256 f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA512 16b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25

C:\Users\Admin\AppData\Local\Temp\6CE4.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 f57bf6e78035d7f9150292a466c1a82d
SHA1 58cce014a5e6a6c6d08f77b1de4ce48e31bc4331
SHA256 25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415
SHA512 fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 c7cd02cfc7cc88564aee07b2b41fd1d6
SHA1 f700afcb43f51b68dcaff46390a1b04e1b4bf495
SHA256 065f4c0612147121a70832e1bb3f993a67632fc5398cade8c084fe437fd5c734
SHA512 57fc93a067b36048f5fe8744256bdbe99d6d8bba7cab2dc873fd25516f1d4ccdf47d0074fa60703bafceeef3699259140508e16034d9422f49d17cbde4481df9

C:\Program Files\Google\Chrome\updater.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 055d29bce6abb6b1f30b6983ab5eb6a1
SHA1 ad75d4890d89231e281f9be067e5a819e32a7eef
SHA256 5faf3b3e894f3408f4c206de4fc3479c5566210cd78fb0daaf405723859f60b4
SHA512 516ecc189deb7f411f63ceddedd95dc430e08c72d2e06b2727723819f4d43815f8efad9de5c266730f097330dab8915970c9f8be686ee45dc5481030f4a69681

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8c1cce837c6b7ad67ed1e152f293da88
SHA1 372254488084900ea4d4c60f7fed529588029f88
SHA256 70f1729bf62deea80e8770977fa4698db5070315065bc44628660659158f7342
SHA512 559ca08f54bf1448b66cf7023362c2e7e4e8c6334c83499ea66ce0f985648ff2148048bfbb0eb08b03dd023fc8dba636318d83defdbd0b103775e95bfe151b40

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b82fd654852edccf3861d8c85696170e
SHA1 ef9c16555909d1a1530bc5d1efc089378b51ed56
SHA256 1e6ed51537d89af2104a5b9472681d92c64123c6b90805ba63fcc3c6ef1c224b
SHA512 8d4fca031afa5f0948dabfa8183a4f67161ed30979f8c730b13a441cdbdf0fa7b21c36a067c63177cedfb45f69b2aaed4525a5b39fa6ba54de9cd15afd7fab7b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 57a476ab26ad3a91a69a914accc61bf0
SHA1 798b9d006d9ac9e0ca3ca7b313c71f6f85638321
SHA256 a34dd3224b804311edf979f06ea1d76d295dfd345a647b9744c454bc5de013bc
SHA512 2b857fad467cae87ff46a8450dc368f7f6933db9feba26b461f86c57f781a60358fb38f463832c56199ae8c94bb4a973eb27a9c802349a3c88b1b3507752d4cd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 593890a536a680ee95eb39638f4e440f
SHA1 a047aa222621cb48fa931dd48162c4aa2b910e46
SHA256 19b07a79f345217f0114bdd3ef24fe3cf953fdea8e7723732d57238bd84e2f84
SHA512 955ff223466f285a15b1c13b6006c2ba7546e362482323de411cf479ee3faee52ec04a870c9c2c4a86ef10b256d3767399741cdc565b0c87d2e94fdb99678688

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Program Files\Google\Chrome\updater.exe

MD5 2f4d9b452cb0e6f54c38e6cd2a55daf5
SHA1 394e0f79eb85c12fbe1b4ff52879567da7693ef1
SHA256 8d687a314d788d9ec8d515446a646911aa3c2acbfcd2555b9c1debd573d65a1b
SHA512 b108817b276bf00903851ef50d19cbdf824c422b3add22e11812ee5e9572150aa4e99c120aab089cabc1da6af853beb129ca1d1c0da0443c2733ce3a563a46db

C:\Windows\TEMP\grrhfnlxagtw.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Windows\System32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4