Analysis Overview
SHA256
89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8
Threat Level: Known bad
The file 89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8 was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Glupteba
Djvu Ransomware
Detected Djvu ransomware
RedLine payload
RedLine
SmokeLoader
Amadey
Downloads MZ/PE file
Stops running service(s)
Modifies Windows Firewall
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-15 09:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-15 09:01
Reported
2023-10-15 09:04
Platform
win10v2004-20230915-en
Max time kernel
41s
Max time network
138s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\216E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3E7F.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\216E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2314.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\216E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33A0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\216E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E7F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\216E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4304.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1924862b-0908-406e-8dbd-3971d677a1dc\\216E.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\216E.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4284 set thread context of 4476 | N/A | C:\Users\Admin\AppData\Local\Temp\216E.exe | C:\Users\Admin\AppData\Local\Temp\216E.exe |
| PID 4312 set thread context of 3108 | N/A | C:\Users\Admin\AppData\Local\Temp\216E.exe | C:\Users\Admin\AppData\Local\Temp\216E.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\216E.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe
"C:\Users\Admin\AppData\Local\Temp\89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8.exe"
C:\Users\Admin\AppData\Local\Temp\216E.exe
C:\Users\Admin\AppData\Local\Temp\216E.exe
C:\Users\Admin\AppData\Local\Temp\2314.exe
C:\Users\Admin\AppData\Local\Temp\2314.exe
C:\Users\Admin\AppData\Local\Temp\216E.exe
C:\Users\Admin\AppData\Local\Temp\216E.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1924862b-0908-406e-8dbd-3971d677a1dc" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\33A0.exe
C:\Users\Admin\AppData\Local\Temp\33A0.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\374A.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\374A.dll
C:\Users\Admin\AppData\Local\Temp\216E.exe
"C:\Users\Admin\AppData\Local\Temp\216E.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\3E7F.exe
C:\Users\Admin\AppData\Local\Temp\3E7F.exe
C:\Users\Admin\AppData\Local\Temp\216E.exe
"C:\Users\Admin\AppData\Local\Temp\216E.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4304.exe
C:\Users\Admin\AppData\Local\Temp\4304.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3108 -ip 3108
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Users\Admin\AppData\Local\Temp\493F.exe
C:\Users\Admin\AppData\Local\Temp\493F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 568
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\493F.exe
"C:\Users\Admin\AppData\Local\Temp\493F.exe"
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.86.21.104.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| NL | 194.169.175.127:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 95.214.27.254:80 | 95.214.27.254 | tcp |
| US | 8.8.8.8:53 | parrotnight.com | udp |
| US | 8.8.8.8:53 | 254.27.214.95.in-addr.arpa | udp |
| US | 188.114.97.0:443 | parrotnight.com | tcp |
| US | 8.8.8.8:53 | unclejohny.com | udp |
| US | 104.21.56.176:443 | unclejohny.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.56.21.104.in-addr.arpa | udp |
| FR | 51.255.152.132:36011 | tcp | |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 162.3.158.195.in-addr.arpa | udp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| FR | 51.255.152.132:36011 | tcp | |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| UZ | 195.158.3.162:80 | wirtshauspost.at | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| FR | 51.255.152.132:36011 | tcp | |
| US | 8.8.8.8:53 | 57e9fbbf-8b37-4358-9e26-fc64fa2b7031.uuid.thestatsfiles.ru | udp |
Files
memory/2252-1-0x0000000000670000-0x0000000000770000-memory.dmp
memory/2252-2-0x0000000002300000-0x000000000230B000-memory.dmp
memory/2252-3-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/3188-4-0x00000000027A0000-0x00000000027B6000-memory.dmp
memory/2252-5-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/2252-8-0x0000000002300000-0x000000000230B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\216E.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\216E.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\2314.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
memory/4284-23-0x0000000004930000-0x00000000049CA000-memory.dmp
memory/4284-24-0x00000000049D0000-0x0000000004AEB000-memory.dmp
memory/4476-25-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\216E.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/4476-28-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2314.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
memory/4476-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4476-31-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\33A0.exe
| MD5 | 22b5ba8e29ad46aea74520369763650a |
| SHA1 | 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec |
| SHA256 | ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec |
| SHA512 | 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead |
C:\Users\Admin\AppData\Local\1924862b-0908-406e-8dbd-3971d677a1dc\216E.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\374A.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
C:\Users\Admin\AppData\Local\Temp\374A.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
memory/4476-49-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\216E.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/5088-47-0x0000000010000000-0x0000000010251000-memory.dmp
memory/5088-46-0x00000000029D0000-0x00000000029D6000-memory.dmp
memory/4312-54-0x0000000004780000-0x0000000004815000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3E7F.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\3E7F.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3108-62-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\216E.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/3108-63-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3108-65-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\4304.exe
| MD5 | 688bcddee8d887a70a70eb791b44abf5 |
| SHA1 | 92cc959bb52a864820b438d82b9b17cc45d88ab4 |
| SHA256 | 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80 |
| SHA512 | 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a |
C:\Users\Admin\AppData\Local\Temp\4304.exe
| MD5 | 688bcddee8d887a70a70eb791b44abf5 |
| SHA1 | 92cc959bb52a864820b438d82b9b17cc45d88ab4 |
| SHA256 | 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80 |
| SHA512 | 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3444-78-0x0000000000840000-0x0000000000940000-memory.dmp
memory/3444-79-0x0000000000600000-0x000000000060B000-memory.dmp
memory/3444-80-0x0000000000400000-0x00000000005B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\493F.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\493F.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/4220-87-0x0000000000A00000-0x0000000000A6B000-memory.dmp
memory/4220-88-0x0000000000A70000-0x0000000000AE5000-memory.dmp
memory/4220-89-0x0000000000A00000-0x0000000000A6B000-memory.dmp
memory/1664-90-0x0000000000330000-0x000000000033C000-memory.dmp
memory/1664-91-0x0000000000340000-0x0000000000347000-memory.dmp
memory/1664-92-0x0000000000330000-0x000000000033C000-memory.dmp
memory/1560-114-0x0000000004C80000-0x000000000507C000-memory.dmp
memory/1560-115-0x0000000005080000-0x000000000596B000-memory.dmp
memory/1560-118-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4220-119-0x0000000000A00000-0x0000000000A6B000-memory.dmp
memory/2096-120-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3188-121-0x0000000002A10000-0x0000000002A26000-memory.dmp
memory/3444-124-0x0000000000400000-0x00000000005B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
| MD5 | dd1ea20cda85521bad514b1dcf2b409d |
| SHA1 | e26d843e8849b95c4c3a8ce48ccdf18c6761d95a |
| SHA256 | 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4 |
| SHA512 | ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b |
memory/784-125-0x00007FF670FE0000-0x00007FF671931000-memory.dmp
memory/2096-137-0x0000000071FE0000-0x0000000072790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
| MD5 | dd1ea20cda85521bad514b1dcf2b409d |
| SHA1 | e26d843e8849b95c4c3a8ce48ccdf18c6761d95a |
| SHA256 | 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4 |
| SHA512 | ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b |
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
| MD5 | dd1ea20cda85521bad514b1dcf2b409d |
| SHA1 | e26d843e8849b95c4c3a8ce48ccdf18c6761d95a |
| SHA256 | 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4 |
| SHA512 | ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b |
memory/5088-141-0x0000000010000000-0x0000000010251000-memory.dmp
memory/5088-143-0x0000000002E20000-0x0000000002F3B000-memory.dmp
memory/2096-142-0x0000000007B30000-0x00000000080D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 62962daa1b19bbcc2db10b7bfd531ea6 |
| SHA1 | d64bae91091eda6a7532ebec06aa70893b79e1f8 |
| SHA256 | 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880 |
| SHA512 | 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7 |
memory/2096-144-0x0000000007660000-0x00000000076F2000-memory.dmp
memory/2684-150-0x0000000000710000-0x0000000000810000-memory.dmp
memory/2684-151-0x0000000000600000-0x0000000000609000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
| MD5 | dd1ea20cda85521bad514b1dcf2b409d |
| SHA1 | e26d843e8849b95c4c3a8ce48ccdf18c6761d95a |
| SHA256 | 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4 |
| SHA512 | ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b |
memory/2352-159-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2352-157-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2096-165-0x0000000007630000-0x0000000007640000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | bdc73040839f1513324b4fd448f785f8 |
| SHA1 | e62c5a03b7c37d1d55861124c8e336cd3ec836b7 |
| SHA256 | 6f324bd8615e1c76a1eacc3213060e145ee5c94f995fab5ac8a8f4f355e515fb |
| SHA512 | 33179f215853448c8e6ad0ad87e99520ad7b059eed264ef9abe71f274a7e558a546113d56e5a5bf3cc65a007ccd2b990ddaa382d71798584d3d45c1a7534e175 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a3368211e62a4b5e5b8e8a6b03705fe5 |
| SHA1 | 6553fdaea087a6685ced9b8ec7b7284ec54bcd78 |
| SHA256 | 73cc0a482562344b7b97ea37057485f18fc50af6afaac2b88a1ec3fadb0a3e35 |
| SHA512 | 9b90d2f3d4b9d9a172d93bae338121391cc2f07cf1a5014679e0d0947c2a025e09c3c0cf8b67da266a7aae3ee968ac847516c57c6127dee3c06a189d3c3349aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7c35b581cf9942855d622bf4d0263a3e |
| SHA1 | b45ef514848d4194348b303557e0b27f98fb5ac7 |
| SHA256 | 3796f6c84dd6b1445eee4d21e0e4e9f2f22634162c70e97126c8d1619c6e031d |
| SHA512 | b3028bbf133c8d5ae9b80bc5b12fbb5e8c903a3196ba6f32bde554a4f424a1cfa4e637590a202475f96e229f351d00da82a10db24a9ac49c1e630bf508f0b4c3 |
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
memory/2096-178-0x0000000007810000-0x000000000781A000-memory.dmp
memory/5088-179-0x0000000002F40000-0x0000000003041000-memory.dmp
memory/5088-180-0x0000000002F40000-0x0000000003041000-memory.dmp
memory/5088-184-0x0000000002F40000-0x0000000003041000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
memory/1560-198-0x0000000004C80000-0x000000000507C000-memory.dmp
memory/5088-199-0x0000000002F40000-0x0000000003041000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/2096-207-0x0000000008700000-0x0000000008D18000-memory.dmp
memory/2096-208-0x00000000079C0000-0x0000000007ACA000-memory.dmp
memory/2096-211-0x00000000078F0000-0x0000000007902000-memory.dmp
memory/1560-200-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2096-214-0x0000000007950000-0x000000000798C000-memory.dmp
memory/2096-215-0x0000000007AD0000-0x0000000007B1C000-memory.dmp
memory/2184-217-0x0000000004CA0000-0x000000000509B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1560-229-0x0000000005080000-0x000000000596B000-memory.dmp
memory/3188-230-0x0000000002CA0000-0x0000000002CB6000-memory.dmp
memory/2352-231-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2184-235-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2632-236-0x0000000000D10000-0x0000000000D46000-memory.dmp
memory/2632-237-0x0000000004E70000-0x0000000005498000-memory.dmp
memory/2864-238-0x0000000005340000-0x0000000005362000-memory.dmp
memory/2632-239-0x0000000004D40000-0x0000000004DA6000-memory.dmp
memory/2632-242-0x00000000054A0000-0x0000000005506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l42ig1bb.n44.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2864-255-0x0000000005D70000-0x00000000060C4000-memory.dmp
memory/1560-260-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/784-261-0x00007FF670FE0000-0x00007FF671931000-memory.dmp
memory/2632-262-0x0000000071FE0000-0x0000000072790000-memory.dmp
memory/2864-263-0x0000000071FE0000-0x0000000072790000-memory.dmp
memory/2632-264-0x0000000004830000-0x0000000004840000-memory.dmp
memory/2864-265-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/2864-266-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/2096-267-0x0000000071FE0000-0x0000000072790000-memory.dmp
memory/2864-268-0x0000000006340000-0x000000000635E000-memory.dmp
memory/2864-270-0x00000000068E0000-0x0000000006924000-memory.dmp
memory/2184-269-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1560-271-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2168-272-0x00007FF745940000-0x00007FF745EE1000-memory.dmp
memory/2632-273-0x0000000004830000-0x0000000004840000-memory.dmp
memory/2864-274-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/2096-275-0x0000000007630000-0x0000000007640000-memory.dmp
memory/2632-276-0x0000000006D80000-0x0000000006DF6000-memory.dmp
memory/2864-277-0x0000000007B50000-0x00000000081CA000-memory.dmp
memory/2864-278-0x0000000007500000-0x000000000751A000-memory.dmp
memory/2184-279-0x0000000004CA0000-0x000000000509B000-memory.dmp
memory/784-280-0x00007FF670FE0000-0x00007FF671931000-memory.dmp
memory/2864-281-0x00000000078D0000-0x0000000007902000-memory.dmp
memory/2632-283-0x0000000073190000-0x00000000731DC000-memory.dmp
memory/2632-285-0x000000006C530000-0x000000006C884000-memory.dmp
memory/2864-284-0x000000006C530000-0x000000006C884000-memory.dmp
memory/2864-282-0x0000000073190000-0x00000000731DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | a6ea7bfcd3aac150c0caef765cb52281 |
| SHA1 | 037dc22c46a0eb0b9ad4c74088129e387cffe96b |
| SHA256 | f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9 |
| SHA512 | c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6af32d9529a23b5294409f9cf38fa3e1 |
| SHA1 | cebe90244976f836127233754033182cc4894e13 |
| SHA256 | e1c6e39660d04cff2154c02af62579f0bd6d7ae276ef6e6730547d9a9dc6c60e |
| SHA512 | 5edf681dcc62a97f61b6b8523ba6e64d0a03ae428118d5a697fdf1842b617b6be7736a0326a8a6029946431495a323b6d514a7d773840d8a99fb640829daf339 |
C:\Users\Admin\AppData\Local\Temp\493F.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
memory/1560-328-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2184-332-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Roaming\dvfvrur
| MD5 | 688bcddee8d887a70a70eb791b44abf5 |
| SHA1 | 92cc959bb52a864820b438d82b9b17cc45d88ab4 |
| SHA256 | 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80 |
| SHA512 | 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a |
memory/784-344-0x00007FF670FE0000-0x00007FF671931000-memory.dmp
memory/4396-396-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4844-397-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/784-404-0x00007FF670FE0000-0x00007FF671931000-memory.dmp
memory/1320-419-0x0000000000190000-0x00000000001EA000-memory.dmp
memory/784-420-0x00007FF670FE0000-0x00007FF671931000-memory.dmp
memory/4844-433-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | df409b60e9cc5122150324efef71bdb5 |
| SHA1 | 685eaf9c7ecc4f718821dfbd7ef85993f3b83c4f |
| SHA256 | f5b3581f589023e3b1d6741d6cb56028c13d86f0f32aed3049508c9f99d2aaa8 |
| SHA512 | 74d707e8da5337eb3f61cbd6f6f3ead382811c6c8fde604d94b1c20829fd744a16d4388aaa0219c2d4242c74fa964ab51dc84150049cfe7c256eaf51d598593d |
memory/2168-443-0x00007FF745940000-0x00007FF745EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | df409b60e9cc5122150324efef71bdb5 |
| SHA1 | 685eaf9c7ecc4f718821dfbd7ef85993f3b83c4f |
| SHA256 | f5b3581f589023e3b1d6741d6cb56028c13d86f0f32aed3049508c9f99d2aaa8 |
| SHA512 | 74d707e8da5337eb3f61cbd6f6f3ead382811c6c8fde604d94b1c20829fd744a16d4388aaa0219c2d4242c74fa964ab51dc84150049cfe7c256eaf51d598593d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 17fbfbe3f04595e251287a6bfcdc35de |
| SHA1 | b576aabfd5e6d5799d487011506ed1ae70688987 |
| SHA256 | 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0 |
| SHA512 | 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6 |
memory/4396-485-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4844-486-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2168-487-0x00007FF745940000-0x00007FF745EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 66024cccd2a7839409e6998681085174 |
| SHA1 | 2d5a3197834bfe187d13ddfecf1a77828ce15722 |
| SHA256 | 4417189a3c25c92d5dc5aa4ba84f3ddf9a9b7d7ccbe6c1e9f43c16a42e1c89d5 |
| SHA512 | abde81db85335023dc375eefaf0b7093f274f3622cd2207d2f6583d3fc65fa6284820531d7339603b9ff0364db289c09c46f01f4fed548d94baccd9deea5381b |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 66024cccd2a7839409e6998681085174 |
| SHA1 | 2d5a3197834bfe187d13ddfecf1a77828ce15722 |
| SHA256 | 4417189a3c25c92d5dc5aa4ba84f3ddf9a9b7d7ccbe6c1e9f43c16a42e1c89d5 |
| SHA512 | abde81db85335023dc375eefaf0b7093f274f3622cd2207d2f6583d3fc65fa6284820531d7339603b9ff0364db289c09c46f01f4fed548d94baccd9deea5381b |
C:\Windows\rss\csrss.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
C:\Windows\rss\csrss.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
C:\Windows\rss\csrss.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 718676ce5f44cf52460766e8356760a3 |
| SHA1 | d240893459cea235c796726054f5c610cd8a5f6f |
| SHA256 | 75ca743590a4ae372c9f88497c244f5476d676c7e9d9129c9e5a91f732e1aa3c |
| SHA512 | 8bcd8a9ca606853f8c898fb420956fdbdb4829325046611dc6342148649bc3006a492f70ab9218f06401670d30ad17bf889e4f82ee02a363f4d2180260a9bcfa |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | cb4f8d835b99ecd6d316903c2dac2037 |
| SHA1 | 98fa19b59ca3697d724bf6ce01f83525e0a885e1 |
| SHA256 | 4979e15655f251daa474d44a26f3a67fc82decd3461936c604cd4a3554f77015 |
| SHA512 | b07996d76d36144993b8bbb521f7c33c54212fc0122fee241b75001ca1f32d6716c9ff0f10638888d1967daeb428d46b190892c616dcefbd72c8bf27da60af37 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 77d8ba53534fe4876bad1dd61250fbcf |
| SHA1 | 182cbda228a83015a6f1f32adb83ee223e2c7d57 |
| SHA256 | 04b6b20cd7218cc4109b060f70c03d70254750673c388bf0ed60c3f7c5bd580d |
| SHA512 | 76bf27ccedf7e51b9df94c905bf3697367f397f75b23b7919fdd2aa3e2588241af14fe0c5313abb47395e047241e168c8f36285549a327f804c78758ed225e82 |