Analysis Overview
SHA256
999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785
Threat Level: Known bad
The file 999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785 was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Glupteba
RedLine payload
Detected Djvu ransomware
Djvu Ransomware
Vidar
SmokeLoader
RedLine
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Downloads MZ/PE file
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Deletes itself
Themida packer
Modifies file permissions
Checks whether UAC is enabled
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Checks SCSI registry key(s)
outlook_office_path
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Uses Task Scheduler COM API
outlook_win_path
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-16 17:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-16 17:13
Reported
2023-10-16 17:16
Platform
win10-20230915-en
Max time kernel
46s
Max time network
157s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\6CEF.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\6CEF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\6CEF.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6963.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6CEF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6F9F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6963.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7B88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83D6.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6963.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6abb4aae-4f69-4f28-9d0b-d02f26640baf\\6963.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6963.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6CEF.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6CEF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2140 set thread context of 240 | N/A | C:\Users\Admin\AppData\Local\Temp\6963.exe | C:\Users\Admin\AppData\Local\Temp\6963.exe |
| PID 4968 set thread context of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\6F9F.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6F9F.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\83D6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\83D6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\83D6.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe
"C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe"
C:\Users\Admin\AppData\Local\Temp\6963.exe
C:\Users\Admin\AppData\Local\Temp\6963.exe
C:\Users\Admin\AppData\Local\Temp\6CEF.exe
C:\Users\Admin\AppData\Local\Temp\6CEF.exe
C:\Users\Admin\AppData\Local\Temp\6F9F.exe
C:\Users\Admin\AppData\Local\Temp\6F9F.exe
C:\Users\Admin\AppData\Local\Temp\6963.exe
C:\Users\Admin\AppData\Local\Temp\6963.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7609.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7609.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\7B88.exe
C:\Users\Admin\AppData\Local\Temp\7B88.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 140
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Users\Admin\AppData\Local\Temp\83D6.exe
C:\Users\Admin\AppData\Local\Temp\83D6.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6abb4aae-4f69-4f28-9d0b-d02f26640baf" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\8CEF.exe
C:\Users\Admin\AppData\Local\Temp\8CEF.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\6963.exe
"C:\Users\Admin\AppData\Local\Temp\6963.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\6963.exe
"C:\Users\Admin\AppData\Local\Temp\6963.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe
"C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe"
C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build3.exe
"C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build3.exe"
C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe
"C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\8CEF.exe
"C:\Users\Admin\AppData\Local\Temp\8CEF.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build3.exe
"C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.1:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 104.21.86.8:443 | tcp | |
| RU | 79.137.192.18:80 | tcp | |
| FR | 146.59.161.13:39199 | tcp | |
| NL | 142.251.36.35:80 | tcp | |
| US | 188.114.97.1:443 | api.2ip.ua | tcp |
| ET | 196.188.169.138:80 | tcp | |
| PA | 190.141.134.150:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 138.169.188.196.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.134.141.190.in-addr.arpa | udp |
| RU | 31.41.244.27:41140 | tcp | |
| ET | 196.188.169.138:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| DE | 94.130.189.55:7070 | 94.130.189.55 | tcp |
| US | 8.8.8.8:53 | 55.189.130.94.in-addr.arpa | udp |
| FR | 146.59.161.13:39199 | tcp | |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 200.24.88.115.in-addr.arpa | udp |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| FR | 146.59.161.13:39199 | tcp | |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| FR | 95.101.134.105:80 | tcp | |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| KR | 115.88.24.200:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| FR | 146.59.161.13:39199 | tcp | |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | cfa364cf-e003-4ea3-8387-720074ff6b35.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.21.21.57:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| RU | 91.215.85.17:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| FR | 146.59.161.13:39199 | tcp |
Files
memory/1644-1-0x0000000000A90000-0x0000000000B90000-memory.dmp
memory/1644-3-0x0000000000900000-0x000000000090B000-memory.dmp
memory/1644-2-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3268-4-0x0000000000840000-0x0000000000856000-memory.dmp
memory/1644-5-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6963.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
C:\Users\Admin\AppData\Local\Temp\6963.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
C:\Users\Admin\AppData\Local\Temp\6CEF.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\6CEF.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/3824-22-0x0000000000900000-0x00000000010A8000-memory.dmp
memory/3824-23-0x0000000075F90000-0x0000000076152000-memory.dmp
memory/3824-29-0x0000000075F90000-0x0000000076152000-memory.dmp
memory/3824-30-0x0000000076850000-0x0000000076920000-memory.dmp
memory/3824-31-0x0000000076850000-0x0000000076920000-memory.dmp
memory/3824-32-0x0000000076850000-0x0000000076920000-memory.dmp
memory/3824-33-0x00000000774C4000-0x00000000774C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6F9F.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/3824-25-0x0000000075F90000-0x0000000076152000-memory.dmp
memory/3824-24-0x0000000075F90000-0x0000000076152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6F9F.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/2140-40-0x0000000002540000-0x000000000265B000-memory.dmp
memory/2140-39-0x00000000024A0000-0x0000000002536000-memory.dmp
memory/240-41-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6963.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/240-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/240-43-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3824-47-0x0000000000900000-0x00000000010A8000-memory.dmp
memory/240-49-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7609.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/3824-46-0x0000000073520000-0x0000000073C0E000-memory.dmp
\Users\Admin\AppData\Local\Temp\7609.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/3824-51-0x0000000005EF0000-0x00000000063EE000-memory.dmp
memory/4092-52-0x00000000007F0000-0x00000000007F6000-memory.dmp
memory/3824-54-0x0000000005A90000-0x0000000005B22000-memory.dmp
memory/3824-59-0x0000000005C30000-0x0000000005CCC000-memory.dmp
memory/4088-57-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7B88.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\7B88.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4092-53-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/4088-67-0x0000000073520000-0x0000000073C0E000-memory.dmp
memory/3824-70-0x0000000005A40000-0x0000000005A4A000-memory.dmp
memory/4088-71-0x0000000000E90000-0x0000000000EA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4092-78-0x0000000004830000-0x0000000004938000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\83D6.exe
| MD5 | 7db5f7b5ec9b48a6b974021ca5539eb5 |
| SHA1 | 15ec87aaf56d33e3477b62ad7ec8784031470131 |
| SHA256 | ee699486a44c9c1fd2f872f49d76c35bc509347d03a1f60d6fe7f631c1874bb5 |
| SHA512 | 47d4d6bef985bb8fdada84e375b670d477271d954274250ddce9ff404f37d86aaf611ab36f28aae4bcc3ec906fb412a6527289289af78c1bd68775aeab6945ce |
C:\Users\Admin\AppData\Local\Temp\83D6.exe
| MD5 | 7db5f7b5ec9b48a6b974021ca5539eb5 |
| SHA1 | 15ec87aaf56d33e3477b62ad7ec8784031470131 |
| SHA256 | ee699486a44c9c1fd2f872f49d76c35bc509347d03a1f60d6fe7f631c1874bb5 |
| SHA512 | 47d4d6bef985bb8fdada84e375b670d477271d954274250ddce9ff404f37d86aaf611ab36f28aae4bcc3ec906fb412a6527289289af78c1bd68775aeab6945ce |
memory/3824-86-0x0000000000900000-0x00000000010A8000-memory.dmp
memory/3824-87-0x0000000075F90000-0x0000000076152000-memory.dmp
memory/3824-88-0x0000000076850000-0x0000000076920000-memory.dmp
memory/4092-89-0x0000000004940000-0x0000000004A30000-memory.dmp
memory/4088-91-0x000000000BDE0000-0x000000000C3E6000-memory.dmp
memory/4092-93-0x0000000004940000-0x0000000004A30000-memory.dmp
memory/4088-94-0x000000000B110000-0x000000000B21A000-memory.dmp
memory/4088-96-0x000000000B020000-0x000000000B032000-memory.dmp
memory/4092-97-0x0000000004940000-0x0000000004A30000-memory.dmp
memory/4088-98-0x000000000B080000-0x000000000B0BE000-memory.dmp
memory/3824-99-0x0000000075F90000-0x0000000076152000-memory.dmp
memory/4088-102-0x000000000B0C0000-0x000000000B10B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8CEF.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\8CEF.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/3188-107-0x0000000000800000-0x000000000086B000-memory.dmp
memory/3824-108-0x0000000076850000-0x0000000076920000-memory.dmp
memory/3824-109-0x0000000076850000-0x0000000076920000-memory.dmp
memory/3188-110-0x0000000000E90000-0x0000000000EA0000-memory.dmp
memory/2480-112-0x0000000000B00000-0x0000000000B0C000-memory.dmp
memory/3188-111-0x0000000000800000-0x000000000086B000-memory.dmp
memory/2480-115-0x0000000000B00000-0x0000000000B0C000-memory.dmp
memory/2480-118-0x0000000000B10000-0x0000000000B11000-memory.dmp
memory/2500-133-0x0000000004C90000-0x0000000005095000-memory.dmp
memory/3264-134-0x0000000000900000-0x000000000090B000-memory.dmp
memory/3264-135-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/240-136-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4092-137-0x0000000004940000-0x0000000004A30000-memory.dmp
memory/3824-139-0x0000000073520000-0x0000000073C0E000-memory.dmp
memory/3264-140-0x0000000000B50000-0x0000000000C50000-memory.dmp
C:\Users\Admin\AppData\Local\6abb4aae-4f69-4f28-9d0b-d02f26640baf\6963.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/3188-142-0x0000000000800000-0x000000000086B000-memory.dmp
memory/2500-138-0x00000000051A0000-0x0000000005A8B000-memory.dmp
memory/2500-143-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/240-144-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6963.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/1312-149-0x0000000073520000-0x0000000073C0E000-memory.dmp
memory/1312-150-0x0000000006BE0000-0x0000000006C16000-memory.dmp
memory/1312-152-0x0000000006D40000-0x0000000006D50000-memory.dmp
memory/4088-151-0x0000000073520000-0x0000000073C0E000-memory.dmp
memory/4088-153-0x0000000000E90000-0x0000000000EA0000-memory.dmp
memory/1312-155-0x0000000007380000-0x00000000079A8000-memory.dmp
memory/1312-154-0x0000000006D40000-0x0000000006D50000-memory.dmp
memory/1312-156-0x00000000072F0000-0x0000000007312000-memory.dmp
memory/1312-159-0x0000000007C70000-0x0000000007CD6000-memory.dmp
memory/1312-157-0x0000000007B00000-0x0000000007B66000-memory.dmp
memory/1312-162-0x0000000007D20000-0x0000000008070000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6963.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/2444-166-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3824-167-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-170-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-168-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-174-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-172-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-177-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-184-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-186-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-192-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-194-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-190-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/3824-188-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/2444-195-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1312-198-0x0000000006F30000-0x0000000006F4C000-memory.dmp
memory/4932-197-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2444-196-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3824-204-0x0000000005DC0000-0x0000000005DD0000-memory.dmp
memory/3824-182-0x0000000005D40000-0x0000000005D55000-memory.dmp
memory/2444-206-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4932-205-0x0000000073520000-0x0000000073C0E000-memory.dmp
memory/3264-179-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/2444-208-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2444-210-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3268-175-0x00000000008E0000-0x00000000008F6000-memory.dmp
memory/3824-165-0x0000000005D40000-0x0000000005D5C000-memory.dmp
memory/4812-163-0x00000000022F0000-0x0000000002385000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ryn5ulg4.mfu.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2444-249-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2444-265-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2972-279-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2972-280-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2972-278-0x0000000000400000-0x0000000000465000-memory.dmp
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Local\Temp\8CEF.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Roaming\tawstsb
| MD5 | 7db5f7b5ec9b48a6b974021ca5539eb5 |
| SHA1 | 15ec87aaf56d33e3477b62ad7ec8784031470131 |
| SHA256 | ee699486a44c9c1fd2f872f49d76c35bc509347d03a1f60d6fe7f631c1874bb5 |
| SHA512 | 47d4d6bef985bb8fdada84e375b670d477271d954274250ddce9ff404f37d86aaf611ab36f28aae4bcc3ec906fb412a6527289289af78c1bd68775aeab6945ce |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9532abced6c1fdb2bec38b681c9c58ed |
| SHA1 | 28c7a3118ffa5f275335d04d83cff85d72159773 |
| SHA256 | 4bd3c7297ae6b7a95e30556b4476f169a868a61787d85f55232cd2c23aa632c9 |
| SHA512 | 2b42217463849b89d3a9f7a758695c653d834712876c9878af1338aa6e37908f613ea5d88cdb83db7ce7d226a8031b2583b8c9303101074122d3770a2db6706c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7bb71fa6c5589cd4f4cf8800de7e1b7f |
| SHA1 | f47b58b8f08bcc527f1148446f28a5a46661c1dd |
| SHA256 | 14cd118a6e83b1e2ba2dbd51ea3cfeee9ae1b958c95824396c11214ea06d6ce0 |
| SHA512 | 394d7eb76ccaf61cf9f90443c099000f67ab7c4b4800842e3ab7ca709e42187380d5155c5da0f20c57a8805512d2455a11b6bee314a4f33e53b6fde0a083e7c2 |
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 75134e13d8eeda607856565a3a984257 |
| SHA1 | f0bb6cf7ca8e45e774ff3077fe5f1a060b72edeb |
| SHA256 | f0de5b3c1c51afc455a0d03c2c75ba319cad5784ef7e91a228df68c32644aaa9 |
| SHA512 | aa7b2c5d5365dfdeef536c67a7199f689f4079c44e3d901c5247e5f1a5c5435a8d6c304d2092771d92205878e1b1eebdc79f0cd7a505e98e5f6933b89c2a28de |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | bb0a3c1b852bedea3d66e43fcf02b79a |
| SHA1 | 19afe47c015fe7ba8ff12c86d7c6fcb7f10f83bc |
| SHA256 | 8538b1b464d8501621c2001a43a7cec137a7d703c4d72487c25369f9f5527883 |
| SHA512 | 06bf03f2e657b609457b9d37a24e376d487bceb61c4fff29f054a63f60fc0d12455c9f3884701575d725cd941bf92daaca4a0c378db5177b5675a07aad9a745b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2dd54c7e1bdc56ce48afa21bbd44fced |
| SHA1 | 5446b44962efc18f242c3e2cc9af6b6ab5216428 |
| SHA256 | 237bade4ec3f8a8407f67201d306c16015b6caff83d8065d5edbecad7128435c |
| SHA512 | 0ad7b0e479f4eb047e13835cf2aa36f243c0e0e1bb126ab9ab40678b0347fe3fc959ed4622c13015f3760d0bc51c4ae54723208ef8e6950898f20c95b0a05527 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |