Analysis Overview
SHA256
354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1
Threat Level: Known bad
The file 354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detected Djvu ransomware
Glupteba
Djvu Ransomware
SmokeLoader
Amadey
Glupteba payload
RedLine
Modifies Windows Firewall
Stops running service(s)
Downloads MZ/PE file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-15 10:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-15 10:31
Reported
2023-10-15 10:34
Platform
win10v2004-20230915-en
Max time kernel
68s
Max time network
169s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\A22B.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\879B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9901.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A22B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A662.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AE04.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\70911d33-42de-426a-bee1-f7f1e7000b28\\8652.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\8652.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4116 set thread context of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\8652.exe | C:\Users\Admin\AppData\Local\Temp\8652.exe |
| PID 4696 set thread context of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\879B.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8652.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\A662.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\A662.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\A662.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1.exe
"C:\Users\Admin\AppData\Local\Temp\354d0f574652207b4b396e45effb35d4948819b926b9f968fa713e03726f08e1.exe"
C:\Users\Admin\AppData\Local\Temp\8652.exe
C:\Users\Admin\AppData\Local\Temp\8652.exe
C:\Users\Admin\AppData\Local\Temp\879B.exe
C:\Users\Admin\AppData\Local\Temp\879B.exe
C:\Users\Admin\AppData\Local\Temp\8652.exe
C:\Users\Admin\AppData\Local\Temp\8652.exe
C:\Users\Admin\AppData\Local\Temp\9901.exe
C:\Users\Admin\AppData\Local\Temp\9901.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9F7A.dll
C:\Users\Admin\AppData\Local\Temp\A22B.exe
C:\Users\Admin\AppData\Local\Temp\A22B.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9F7A.dll
C:\Users\Admin\AppData\Local\Temp\A662.exe
C:\Users\Admin\AppData\Local\Temp\A662.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\AE04.exe
C:\Users\Admin\AppData\Local\Temp\AE04.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\70911d33-42de-426a-bee1-f7f1e7000b28" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\8652.exe
"C:\Users\Admin\AppData\Local\Temp\8652.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\8652.exe
"C:\Users\Admin\AppData\Local\Temp\8652.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3680 -ip 3680
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 584
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
C:\Users\Admin\AppData\Local\Temp\AE04.exe
"C:\Users\Admin\AppData\Local\Temp\AE04.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.21.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 95.214.27.254:80 | 95.214.27.254 | tcp |
| US | 8.8.8.8:53 | 254.27.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | parrotnight.com | udp |
| US | 188.114.96.0:443 | parrotnight.com | tcp |
| US | 8.8.8.8:53 | unclejohny.com | udp |
| US | 172.67.187.91:443 | unclejohny.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.187.67.172.in-addr.arpa | udp |
| FR | 51.255.152.132:36011 | tcp | |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 159.86.170.181.in-addr.arpa | udp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| FR | 51.255.152.132:36011 | tcp | |
| AR | 181.170.86.159:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 51.255.152.132:36011 | tcp | |
| US | 8.8.8.8:53 | d9377001-698d-4773-8d8b-605c3059caa2.uuid.thestatsfiles.ru | udp |
Files
memory/2592-1-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/2592-2-0x0000000000750000-0x000000000075B000-memory.dmp
memory/2592-3-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/2592-4-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/2624-5-0x00000000033D0000-0x00000000033E6000-memory.dmp
memory/2592-6-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/2592-9-0x0000000000750000-0x000000000075B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8652.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\8652.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\879B.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
memory/4116-24-0x0000000004860000-0x00000000048F9000-memory.dmp
memory/4116-25-0x0000000004900000-0x0000000004A1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\879B.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
memory/64-30-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8652.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/64-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/64-31-0x0000000000400000-0x0000000000537000-memory.dmp
memory/64-32-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9901.exe
| MD5 | 22b5ba8e29ad46aea74520369763650a |
| SHA1 | 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec |
| SHA256 | ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec |
| SHA512 | 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead |
C:\Users\Admin\AppData\Local\Temp\A22B.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\A22B.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\9F7A.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
C:\Users\Admin\AppData\Local\Temp\A662.exe
| MD5 | 6ad69f6c71b75757dbc49c766a80ba29 |
| SHA1 | b6b13b15fb803973f2c9af72b4c5919c8973e566 |
| SHA256 | ccf04116b64d3d2a49c2ace2e2c4f82c53d1f6a14d61e917de94819cc161467e |
| SHA512 | 535daf2c246b62cd56b58186d7831995fd6653e6f16da59e3e12dc6ff6dd01635274368383e58ed3168cd66c059b73006d1f30ac65953da463844f3a8329b7fc |
C:\Users\Admin\AppData\Local\Temp\A662.exe
| MD5 | 6ad69f6c71b75757dbc49c766a80ba29 |
| SHA1 | b6b13b15fb803973f2c9af72b4c5919c8973e566 |
| SHA256 | ccf04116b64d3d2a49c2ace2e2c4f82c53d1f6a14d61e917de94819cc161467e |
| SHA512 | 535daf2c246b62cd56b58186d7831995fd6653e6f16da59e3e12dc6ff6dd01635274368383e58ed3168cd66c059b73006d1f30ac65953da463844f3a8329b7fc |
memory/2472-49-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3924-50-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/3924-51-0x0000000000710000-0x000000000071B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9F7A.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
memory/3924-53-0x0000000000400000-0x00000000005B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4788-55-0x00000000009F0000-0x00000000009F6000-memory.dmp
memory/4788-57-0x0000000010000000-0x0000000010251000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AE04.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\AE04.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/3196-74-0x0000000004DF0000-0x00000000051E9000-memory.dmp
memory/64-75-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3312-76-0x0000000000B70000-0x0000000000B7C000-memory.dmp
memory/3196-77-0x00000000051F0000-0x0000000005ADB000-memory.dmp
memory/3312-79-0x0000000000B70000-0x0000000000B7C000-memory.dmp
memory/3312-78-0x0000000000B80000-0x0000000000B87000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2396-80-0x00000000008C0000-0x000000000092B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3196-84-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\70911d33-42de-426a-bee1-f7f1e7000b28\8652.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/2396-87-0x0000000000930000-0x00000000009B0000-memory.dmp
memory/2396-88-0x00000000008C0000-0x000000000092B000-memory.dmp
memory/2472-89-0x0000000073090000-0x0000000073840000-memory.dmp
memory/3924-95-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/2624-90-0x0000000003600000-0x0000000003616000-memory.dmp
memory/2396-115-0x00000000008C0000-0x000000000092B000-memory.dmp
memory/4788-116-0x0000000002470000-0x000000000258B000-memory.dmp
memory/3268-117-0x00007FF6DA7F0000-0x00007FF6DB141000-memory.dmp
memory/64-118-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8652.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/4788-121-0x0000000002930000-0x0000000002A31000-memory.dmp
memory/4788-123-0x0000000002930000-0x0000000002A31000-memory.dmp
memory/4788-125-0x0000000002930000-0x0000000002A31000-memory.dmp
memory/4788-126-0x0000000002930000-0x0000000002A31000-memory.dmp
memory/4788-127-0x0000000010000000-0x0000000010251000-memory.dmp
memory/1636-128-0x0000000004760000-0x00000000047FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8652.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/3680-131-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3680-132-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2472-134-0x0000000007830000-0x0000000007DD4000-memory.dmp
memory/3680-135-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3196-136-0x0000000004DF0000-0x00000000051E9000-memory.dmp
memory/3196-137-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3196-138-0x00000000051F0000-0x0000000005ADB000-memory.dmp
memory/2472-139-0x0000000007320000-0x00000000073B2000-memory.dmp
memory/4408-140-0x0000000002BF0000-0x0000000002C26000-memory.dmp
memory/3196-141-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3312-142-0x0000000000B70000-0x0000000000B7C000-memory.dmp
memory/4408-143-0x0000000073090000-0x0000000073840000-memory.dmp
memory/4408-144-0x0000000002C50000-0x0000000002C60000-memory.dmp
memory/4408-145-0x0000000005380000-0x00000000059A8000-memory.dmp
memory/3268-146-0x00007FF6DA7F0000-0x00007FF6DB141000-memory.dmp
memory/2472-147-0x0000000073090000-0x0000000073840000-memory.dmp
memory/2472-148-0x00000000075A0000-0x00000000075B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4408-150-0x00000000052E0000-0x0000000005302000-memory.dmp
memory/4408-151-0x0000000005AB0000-0x0000000005B16000-memory.dmp
memory/4408-152-0x0000000005B20000-0x0000000005B86000-memory.dmp
memory/2472-153-0x00000000073F0000-0x00000000073FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vlibnz0d.tvn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4408-159-0x0000000005B90000-0x0000000005EE4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 62962daa1b19bbcc2db10b7bfd531ea6 |
| SHA1 | d64bae91091eda6a7532ebec06aa70893b79e1f8 |
| SHA256 | 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880 |
| SHA512 | 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8a34f70f614267b567d8ee6e902d57d5 |
| SHA1 | b19699c7ecbc43ba9224f19b82513cb1eca6a630 |
| SHA256 | 83047da30da5934ad36323eac1d0c934f9a534fff88eae833ce5646f4c4157f9 |
| SHA512 | 154784f0b750d720ea22bf2f4817bd83673142e11de0e4b007c98ee8a37fceba5067771cbd1b0104379643480a97c6bf4bab5c45507ac43c14b89daa9cdc2428 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a3368211e62a4b5e5b8e8a6b03705fe5 |
| SHA1 | 6553fdaea087a6685ced9b8ec7b7284ec54bcd78 |
| SHA256 | 73cc0a482562344b7b97ea37057485f18fc50af6afaac2b88a1ec3fadb0a3e35 |
| SHA512 | 9b90d2f3d4b9d9a172d93bae338121391cc2f07cf1a5014679e0d0947c2a025e09c3c0cf8b67da266a7aae3ee968ac847516c57c6127dee3c06a189d3c3349aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | c1370f18a8ca34bc477df4d8afdb6589 |
| SHA1 | 63c80a2c22a6d6acf14d96daff278f5ae9c08e11 |
| SHA256 | 47914ce0712987b747a885d5347bb476fc67a05ebbd2158cdd6bee833b9295a2 |
| SHA512 | d49bb60bf0ee337976b7c641d57298f129a3724a2eaad14abc27c120f73d92ac2a1d4c225adee55765d16528f68da2044ecf20ae2164b7f298d3280ce1527d97 |
memory/4408-184-0x00000000061A0000-0x00000000061BE000-memory.dmp
memory/4408-187-0x0000000006240000-0x000000000628C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
memory/3196-196-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2472-212-0x0000000008400000-0x0000000008A18000-memory.dmp
memory/4408-213-0x0000000006720000-0x0000000006764000-memory.dmp
memory/2472-214-0x00000000076C0000-0x00000000077CA000-memory.dmp
memory/2472-215-0x00000000075D0000-0x00000000075E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/2472-222-0x0000000007630000-0x000000000766C000-memory.dmp
memory/1744-238-0x0000000004C50000-0x0000000005049000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4408-236-0x0000000002C50000-0x0000000002C60000-memory.dmp
memory/4408-240-0x0000000073090000-0x0000000073840000-memory.dmp
memory/4408-241-0x0000000002C50000-0x0000000002C60000-memory.dmp
memory/4408-242-0x0000000002C50000-0x0000000002C60000-memory.dmp
memory/1744-243-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3268-244-0x00007FF6DA7F0000-0x00007FF6DB141000-memory.dmp
memory/4408-245-0x00000000072B0000-0x0000000007326000-memory.dmp
memory/4276-246-0x0000000073090000-0x0000000073840000-memory.dmp
memory/2472-247-0x00000000075A0000-0x00000000075B0000-memory.dmp
memory/4276-248-0x0000000002590000-0x00000000025A0000-memory.dmp
memory/4408-258-0x0000000007BE0000-0x000000000825A000-memory.dmp
memory/4408-259-0x0000000007560000-0x000000000757A000-memory.dmp
memory/3196-260-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Roaming\hvgjeuj
| MD5 | 6ad69f6c71b75757dbc49c766a80ba29 |
| SHA1 | b6b13b15fb803973f2c9af72b4c5919c8973e566 |
| SHA256 | ccf04116b64d3d2a49c2ace2e2c4f82c53d1f6a14d61e917de94819cc161467e |
| SHA512 | 535daf2c246b62cd56b58186d7831995fd6653e6f16da59e3e12dc6ff6dd01635274368383e58ed3168cd66c059b73006d1f30ac65953da463844f3a8329b7fc |
memory/4408-265-0x0000000007720000-0x0000000007752000-memory.dmp
memory/4408-266-0x0000000073F30000-0x0000000073F7C000-memory.dmp
memory/1744-264-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4408-267-0x000000006ECB0000-0x000000006F004000-memory.dmp
memory/4408-277-0x0000000007760000-0x000000000777E000-memory.dmp
memory/4276-278-0x0000000002590000-0x00000000025A0000-memory.dmp
memory/4408-279-0x000000007F800000-0x000000007F810000-memory.dmp
memory/4908-298-0x00007FF6BE430000-0x00007FF6BE9D1000-memory.dmp
memory/3268-302-0x00007FF6DA7F0000-0x00007FF6DB141000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | a6ea7bfcd3aac150c0caef765cb52281 |
| SHA1 | 037dc22c46a0eb0b9ad4c74088129e387cffe96b |
| SHA256 | f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9 |
| SHA512 | c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | dbb29ce12f94b71b55e7833ad30399b5 |
| SHA1 | f83bcb318cf1c6345a609edf2fedd71eebf6d034 |
| SHA256 | 4c03f69051c3be344f20277753d56f9a81ae985e007528bb984723e6f09babfa |
| SHA512 | 5d1aaf9756babc616a3b5b10988405423ff02af1744f91f2b3d7b6c94997989b5ef2f0be0866f3df49b9c03570ebc5cac17e293ac8b2c30a464ea53f128baf8d |
memory/3196-319-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
C:\Users\Admin\AppData\Local\Temp\AE04.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1744-324-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2392-326-0x0000000000810000-0x000000000086A000-memory.dmp
memory/3268-327-0x00007FF6DA7F0000-0x00007FF6DB141000-memory.dmp
memory/3196-359-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3756-377-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4716-389-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6c79c29bcf6738882c33545bced1a9c0 |
| SHA1 | f5d17ba792c9cbdf1f907072c1202115ddbd08f1 |
| SHA256 | 5c0fb8e8d48d417f3c803cd725d8ed17e6e64359be57b130ac49446f57c3634c |
| SHA512 | 7ac8488eeb4a67ac270bb786cbc691a43129cd8d7e3cb5c568fd606a97404393b46448c7b332900d6521854f565f129a36135ef0670a7903f32175d7c2ba6f47 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
memory/3756-450-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6c79c29bcf6738882c33545bced1a9c0 |
| SHA1 | f5d17ba792c9cbdf1f907072c1202115ddbd08f1 |
| SHA256 | 5c0fb8e8d48d417f3c803cd725d8ed17e6e64359be57b130ac49446f57c3634c |
| SHA512 | 7ac8488eeb4a67ac270bb786cbc691a43129cd8d7e3cb5c568fd606a97404393b46448c7b332900d6521854f565f129a36135ef0670a7903f32175d7c2ba6f47 |
memory/4716-464-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4908-466-0x00007FF6BE430000-0x00007FF6BE9D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4908-498-0x00007FF6BE430000-0x00007FF6BE9D1000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ecc2d69010909173a8b4b076aedd182a |
| SHA1 | bba2920d0eef9ec63bd44c31e4cfb27da6be8b1a |
| SHA256 | d028bf44db8b23a098aec8feba408a125022a8e8d139f3da9a4251fdc9744018 |
| SHA512 | f749be53f31372453ea0a0ec549d3ccd69f85f93675331f98205888bf2ae9fdd97d277313406fcbe816e456e8e0480a08456243a0c94bb7bd8b557f0421f5e42 |
memory/3756-513-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4716-514-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ecc2d69010909173a8b4b076aedd182a |
| SHA1 | bba2920d0eef9ec63bd44c31e4cfb27da6be8b1a |
| SHA256 | d028bf44db8b23a098aec8feba408a125022a8e8d139f3da9a4251fdc9744018 |
| SHA512 | f749be53f31372453ea0a0ec549d3ccd69f85f93675331f98205888bf2ae9fdd97d277313406fcbe816e456e8e0480a08456243a0c94bb7bd8b557f0421f5e42 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1752-564-0x00007FF709740000-0x00007FF709CE1000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 42f0304ba3920b436be80259f43c17c5 |
| SHA1 | df57952dedece7a0136b7d3f367970835c308b1f |
| SHA256 | 4999a7e19ccd5088a111b7c45b09754f12a72073713f8b8852e6249e158b2e94 |
| SHA512 | 1cf839a2e14d5700fa3ceef3dc6023b250f5ddcb222a7f67ba4f0db8b0b28b18fa0e8c22932313fe04471aa206d703e2e35e90ba4d06373ebd90f7a8293b4253 |
C:\Windows\rss\csrss.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
C:\Windows\rss\csrss.exe
| MD5 | 8627c70b06ccae7c64acdd10a0d5d0ae |
| SHA1 | fd87db535189654374d269e59ff1dd62020e4464 |
| SHA256 | a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e |
| SHA512 | a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 42f0304ba3920b436be80259f43c17c5 |
| SHA1 | df57952dedece7a0136b7d3f367970835c308b1f |
| SHA256 | 4999a7e19ccd5088a111b7c45b09754f12a72073713f8b8852e6249e158b2e94 |
| SHA512 | 1cf839a2e14d5700fa3ceef3dc6023b250f5ddcb222a7f67ba4f0db8b0b28b18fa0e8c22932313fe04471aa206d703e2e35e90ba4d06373ebd90f7a8293b4253 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d639c7833b969cfb55f5136817f208c9 |
| SHA1 | 8489c8f0a4ce2c3ea76a7cabaeca7f42866d094c |
| SHA256 | 9d81f723a6a69ebc948d4a25b81a69149fa40ed1adf4b273d285df08f88effc6 |
| SHA512 | a581afbd944bc8193d47c57a530afd573875d468e7996d3cb08da5a837baf4467f5dd6b30e57e9f111949cedc6448efcbde0df8e9631f263e30f4f936c74565f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f8196853c247facdde1a475f822687a4 |
| SHA1 | 69e0b60d90ea721670dedf4a392d19610fe17e72 |
| SHA256 | 078cb311ee958af26c16007ebe9626c8a725a013a14bfad37728f8addc319870 |
| SHA512 | a6c28d4b85b1850cefdfe5bce57612624ae5fc241d95ab41f60408293214cd9901e2597df280a47e7e3750bb2094e3cc16df279a91a6b79b21986f8e7ca8f993 |