Analysis Overview
SHA256
52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94
Threat Level: Known bad
The file 52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
RedLine payload
Glupteba payload
Amadey
Djvu Ransomware
SmokeLoader
Glupteba
RedLine
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Adds Run key to start application
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: MapViewOfSection
outlook_office_path
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-15 13:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-15 13:02
Reported
2023-10-15 13:04
Platform
win10v2004-20230915-en
Max time kernel
72s
Max time network
156s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\C5B0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9D45.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9F1A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B90C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C5B0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C8EE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D17A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9D45.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\74948f12-8405-49ce-904b-efe2cbd43560\\9D45.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\9D45.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2896 set thread context of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\9D45.exe | C:\Users\Admin\AppData\Local\Temp\9D45.exe |
| PID 1284 set thread context of 4448 | N/A | C:\Users\Admin\AppData\Local\Temp\9F1A.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3256 set thread context of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\9D45.exe | C:\Users\Admin\AppData\Local\Temp\9D45.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\9D45.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\C8EE.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\C8EE.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\C8EE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C8EE.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94.exe
"C:\Users\Admin\AppData\Local\Temp\52f9858d267de6bd71707c083cd0e53543b1847c194314009f1e6ea3bcd84c94.exe"
C:\Users\Admin\AppData\Local\Temp\9D45.exe
C:\Users\Admin\AppData\Local\Temp\9D45.exe
C:\Users\Admin\AppData\Local\Temp\9F1A.exe
C:\Users\Admin\AppData\Local\Temp\9F1A.exe
C:\Users\Admin\AppData\Local\Temp\9D45.exe
C:\Users\Admin\AppData\Local\Temp\9D45.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\74948f12-8405-49ce-904b-efe2cbd43560" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\B90C.exe
C:\Users\Admin\AppData\Local\Temp\B90C.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BE9B.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\BE9B.dll
C:\Users\Admin\AppData\Local\Temp\C5B0.exe
C:\Users\Admin\AppData\Local\Temp\C5B0.exe
C:\Users\Admin\AppData\Local\Temp\9D45.exe
"C:\Users\Admin\AppData\Local\Temp\9D45.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\C8EE.exe
C:\Users\Admin\AppData\Local\Temp\C8EE.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\D17A.exe
C:\Users\Admin\AppData\Local\Temp\D17A.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\9D45.exe
"C:\Users\Admin\AppData\Local\Temp\9D45.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1644 -ip 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 568
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\D17A.exe
"C:\Users\Admin\AppData\Local\Temp\D17A.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.21.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.86.21.104.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| FR | 51.255.152.132:36011 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 200.162.158.95.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 121.252.72.23.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| BG | 95.158.162.200:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| FR | 51.255.152.132:36011 | tcp | |
| FR | 51.255.152.132:36011 | tcp | |
| US | 8.8.8.8:53 | d88ba20b-5648-4705-ba7a-4d4c271ce96a.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| FR | 51.255.152.132:36011 | tcp |
Files
memory/936-1-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/936-2-0x0000000000860000-0x000000000086B000-memory.dmp
memory/936-3-0x0000000000400000-0x00000000005B5000-memory.dmp
memory/936-4-0x0000000000400000-0x00000000005B5000-memory.dmp
memory/936-7-0x0000000000400000-0x00000000005B5000-memory.dmp
memory/936-9-0x0000000000860000-0x000000000086B000-memory.dmp
memory/3180-5-0x0000000003140000-0x0000000003156000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9D45.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\9D45.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\9F1A.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
C:\Users\Admin\AppData\Local\Temp\9F1A.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
memory/2896-26-0x0000000004880000-0x0000000004920000-memory.dmp
memory/2896-27-0x0000000004A70000-0x0000000004B8B000-memory.dmp
memory/2352-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2352-30-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9D45.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/2352-31-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2352-32-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B90C.exe
| MD5 | 22b5ba8e29ad46aea74520369763650a |
| SHA1 | 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec |
| SHA256 | ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec |
| SHA512 | 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead |
C:\Users\Admin\AppData\Local\74948f12-8405-49ce-904b-efe2cbd43560\9D45.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\BE9B.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
C:\Users\Admin\AppData\Local\Temp\BE9B.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
C:\Users\Admin\AppData\Local\Temp\C5B0.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\C5B0.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3884-54-0x0000000010000000-0x0000000010251000-memory.dmp
memory/3884-53-0x0000000000B30000-0x0000000000B36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\C8EE.exe
| MD5 | a9991493e536d974f42a70843dae6209 |
| SHA1 | 9f209dc03fbca602985e9f599732ebfc4b2a0cc3 |
| SHA256 | f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288 |
| SHA512 | 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a |
C:\Users\Admin\AppData\Local\Temp\C8EE.exe
| MD5 | a9991493e536d974f42a70843dae6209 |
| SHA1 | 9f209dc03fbca602985e9f599732ebfc4b2a0cc3 |
| SHA256 | f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288 |
| SHA512 | 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4448-68-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2352-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9D45.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\D17A.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\D17A.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/4448-80-0x0000000072360000-0x0000000072B10000-memory.dmp
memory/4448-82-0x00000000079D0000-0x0000000007F74000-memory.dmp
memory/3060-83-0x0000000000800000-0x0000000000900000-memory.dmp
memory/3060-84-0x00000000007E0000-0x00000000007EB000-memory.dmp
memory/4860-87-0x0000000001000000-0x000000000106B000-memory.dmp
memory/4860-88-0x0000000001070000-0x00000000010E5000-memory.dmp
memory/4448-85-0x00000000074C0000-0x0000000007552000-memory.dmp
memory/3060-81-0x0000000000400000-0x00000000005B5000-memory.dmp
memory/4448-90-0x00000000076B0000-0x00000000076C0000-memory.dmp
memory/2556-91-0x0000000000E30000-0x0000000000E37000-memory.dmp
memory/2556-93-0x0000000000E20000-0x0000000000E2C000-memory.dmp
memory/2556-89-0x0000000000E20000-0x0000000000E2C000-memory.dmp
memory/3256-94-0x00000000047A0000-0x0000000004836000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9D45.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/1644-100-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4448-92-0x0000000007490000-0x000000000749A000-memory.dmp
memory/1644-104-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1644-116-0x0000000000400000-0x0000000000537000-memory.dmp
memory/584-109-0x00007FF673000000-0x00007FF673951000-memory.dmp
memory/2584-123-0x0000000004B80000-0x0000000004F7E000-memory.dmp
memory/2584-124-0x0000000005080000-0x000000000596B000-memory.dmp
memory/4448-125-0x00000000085A0000-0x0000000008BB8000-memory.dmp
memory/4448-126-0x00000000077D0000-0x00000000078DA000-memory.dmp
memory/4448-127-0x0000000007700000-0x0000000007712000-memory.dmp
memory/2584-128-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3180-130-0x0000000002B40000-0x0000000002B56000-memory.dmp
memory/4448-129-0x0000000007760000-0x000000000779C000-memory.dmp
memory/3060-134-0x0000000000400000-0x00000000005B5000-memory.dmp
memory/4448-135-0x00000000078E0000-0x000000000792C000-memory.dmp
memory/4860-136-0x0000000001000000-0x000000000106B000-memory.dmp
memory/3884-137-0x00000000028F0000-0x0000000002A0B000-memory.dmp
memory/4448-138-0x0000000072360000-0x0000000072B10000-memory.dmp
memory/3884-142-0x0000000002A10000-0x0000000002B11000-memory.dmp
memory/2584-139-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3884-143-0x0000000002A10000-0x0000000002B11000-memory.dmp
memory/3884-149-0x0000000002A10000-0x0000000002B11000-memory.dmp
memory/3884-151-0x0000000002A10000-0x0000000002B11000-memory.dmp
memory/3004-152-0x0000000002910000-0x0000000002946000-memory.dmp
memory/3004-153-0x0000000072360000-0x0000000072B10000-memory.dmp
memory/3004-154-0x0000000004B30000-0x0000000004B40000-memory.dmp
memory/3004-155-0x0000000005170000-0x0000000005798000-memory.dmp
memory/3004-156-0x0000000005100000-0x0000000005122000-memory.dmp
memory/3004-159-0x0000000005880000-0x00000000058E6000-memory.dmp
memory/3004-157-0x0000000005810000-0x0000000005876000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_szeiyf20.zh3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/584-158-0x00007FF673000000-0x00007FF673951000-memory.dmp
memory/4448-165-0x00000000076B0000-0x00000000076C0000-memory.dmp
memory/3004-170-0x00000000059F0000-0x0000000005D44000-memory.dmp
memory/3004-171-0x0000000005EF0000-0x0000000005F0E000-memory.dmp
memory/2584-172-0x0000000004B80000-0x0000000004F7E000-memory.dmp
memory/3004-173-0x0000000006440000-0x0000000006484000-memory.dmp
memory/2584-174-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3004-175-0x0000000004B30000-0x0000000004B40000-memory.dmp
memory/3004-178-0x0000000007010000-0x0000000007086000-memory.dmp
memory/3004-180-0x00000000070B0000-0x00000000070CA000-memory.dmp
memory/3004-179-0x0000000007710000-0x0000000007D8A000-memory.dmp
memory/2584-181-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3004-182-0x0000000072360000-0x0000000072B10000-memory.dmp
memory/3004-183-0x000000007EED0000-0x000000007EEE0000-memory.dmp
memory/3004-184-0x0000000007470000-0x00000000074A2000-memory.dmp
memory/3004-185-0x000000006BCF0000-0x000000006BD3C000-memory.dmp
memory/3004-186-0x000000006B990000-0x000000006BCE4000-memory.dmp
memory/3004-196-0x0000000007450000-0x000000000746E000-memory.dmp
memory/3004-197-0x00000000074B0000-0x0000000007553000-memory.dmp
memory/3004-198-0x00000000075A0000-0x00000000075AA000-memory.dmp
memory/3004-199-0x0000000004B30000-0x0000000004B40000-memory.dmp
memory/3004-200-0x0000000007D90000-0x0000000007E26000-memory.dmp
memory/3004-201-0x00000000075B0000-0x00000000075C1000-memory.dmp
memory/3004-203-0x0000000004B30000-0x0000000004B40000-memory.dmp
memory/584-202-0x00007FF673000000-0x00007FF673951000-memory.dmp
memory/3004-206-0x0000000007620000-0x000000000762E000-memory.dmp
memory/3004-207-0x0000000007630000-0x0000000007644000-memory.dmp
memory/3004-208-0x0000000007680000-0x000000000769A000-memory.dmp
memory/3004-209-0x0000000007670000-0x0000000007678000-memory.dmp
C:\Users\Admin\AppData\Roaming\svsdejt
| MD5 | a9991493e536d974f42a70843dae6209 |
| SHA1 | 9f209dc03fbca602985e9f599732ebfc4b2a0cc3 |
| SHA256 | f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288 |
| SHA512 | 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a |
C:\Users\Admin\AppData\Local\Temp\D17A.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2584-217-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1700-221-0x0000000000E00000-0x0000000000E5A000-memory.dmp
memory/584-223-0x00007FF673000000-0x00007FF673951000-memory.dmp
memory/3252-256-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ed0c7c84559ea1ec594f60982b5708e7 |
| SHA1 | 021a06a9559a73625e2f6019801f15f1f2f3269d |
| SHA256 | 051a9520ec657c6558f4debbf403e28dd9042d20679024787ad1bf4d33eef7de |
| SHA512 | 91ee62e0c94b25f3d14ca452263f57b27ad299a1fec09e9af1157834b9b4135c259809dafd0565d835bb627f51887e881e2af7e5fac1cd686ba5085f56cb30e3 |
memory/3252-282-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b8a50b082a1a7ea9442b6cc43268c5b8 |
| SHA1 | d0da40282a2a97a5a90c1d0fce13bc0e1c9413f8 |
| SHA256 | 421d6a760f94015ba552ae77cebe5aa21396edefb4c55b00ee86b044ee0f13f7 |
| SHA512 | 700d3b2b85c54ec3e811a8888e9db2dc3b1e5940429c6c85743fee9a9de438b3ebb597031776d104f38a0372f44cd580ce36450387699083cfa8e449eb86429b |
memory/3252-324-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/3252-330-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8b46f9cc56af5272130f339fe1a5bdf5 |
| SHA1 | 66fa55ca564a99e30a4ef2113ea892092f3bb071 |
| SHA256 | d0df4d622878ffff8120a403ab93d00c07cdaa9e4e14124ae4c27e442a06e068 |
| SHA512 | 5252c4df517625fe19d0cdd26eab472b5679eccee405f1ebd8f2f09515d9b7a203bc604d7442d0ab560a198b030214b45ccb5e203df88eab3f118f10a37b923e |
memory/4140-365-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 269f1f3f2c7a4aea92e9d94728a62724 |
| SHA1 | 55d9e6ec730ba2a2ba6298a0f1935776e6206034 |
| SHA256 | 39a1bac89f460d1dcab1c9950b8b78c6a0dd8142234eeacf3e0be97c05ded0b3 |
| SHA512 | 410d3e98d61552cddf2c2113c9cb2c34c625f9bda8fb999f4213e3eba8868bb972ceb14ba0544c20f0fcab65ded507124803e19fc430bdf4a77344fe164e6f23 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 351c64fb406a7187df5884664f65926a |
| SHA1 | c52ecbec20016a2d4a7e3ad69ac59f2fc9b91a8a |
| SHA256 | 331f6d58c870e7a677b5b3dd3c872c390354b32024779b43a4734dd783618f78 |
| SHA512 | 7506a1b9479b94e0ff1451d1e1a0f3e3635012046350b5ee84dc6ff1be70af72531ad590ae8b49ef762187430bbb267ef2b3f8a4a8b3bee77d8d3a60f0d0138f |
memory/4140-407-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |