Malware Analysis Report

2024-10-16 05:09

Sample ID 240806-2kbpmssgrn
Target Malware with taskmgr.zip
SHA256 39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc
Tags
amadey ammyyadmin cobaltstrike flawedammyy phorphiex 0 backdoor bootkit credential_access discovery evasion execution loader persistence privilege_escalation ransomware rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc

Threat Level: Known bad

The file Malware with taskmgr.zip was found to be: Known bad.

Malicious Activity Summary

amadey ammyyadmin cobaltstrike flawedammyy phorphiex 0 backdoor bootkit credential_access discovery evasion execution loader persistence privilege_escalation ransomware rat spyware stealer trojan worm

AmmyyAdmin payload

Ammyy Admin

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

FlawedAmmyy RAT

Cobaltstrike

Windows security bypass

Phorphiex payload

Modifies security service

Phorphiex, Phorpiex

Credentials from Password Stores: Credentials from Web Browsers

Renames multiple (1484) files with added filename extension

Downloads MZ/PE file

Blocklisted process makes network request

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Reads local data of messenger clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Reads WinSCP keys stored on the system

Loads dropped DLL

Executes dropped EXE

Windows security modification

Adds Run key to start application

Looks up external IP address via web service

Drops desktop.ini file(s)

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Command and Scripting Interpreter: AutoIT

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Wi-Fi Discovery

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-08-06 22:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 22:37

Reported

2024-08-06 22:42

Platform

win11-20240802-en

Max time kernel

239s

Max time network

250s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

FlawedAmmyy RAT

trojan flawedammyy

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\sysmysldrv.exe N/A

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex, Phorpiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\sysmysldrv.exe N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (1484) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe N/A
N/A N/A C:\Windows\sysmysldrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\984329850.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3193133307.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1913724727.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41933479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1583029623.exe N/A
N/A N/A C:\Users\Admin\Windows Upgrade\wupgrdsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http172.245.189.30ds.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http149.88.90.88az.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http204.44.86.164193.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http45.144.3.216Decrypter.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http212.227.175.227nc.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe N/A
N/A N/A \??\c:\temp2\Autoit3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\sysmysldrv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\sysmysldrv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmysldrv.exe" C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\httpsfuncaptcha.ruhvnc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\httpsfuncaptcha.ruhvnc.exe.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DP_Main = "C:\\Users\\Admin\\AppData\\Roaming\\DP\\DP_Main.exe" C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\$RECYCLE.BIN\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini C:\Windows\system32\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe N/A

Command and Scripting Interpreter: AutoIT

execution
Description Indicator Process Target
N/A N/A \??\c:\temp2\Autoit3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\#DECRYPT MY FILES#.html C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\#DECRYPT MY FILES#.html C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pl.txt C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\#DECRYPT MY FILES#.html C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\7-Zip\License.txt C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\System\wab32.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msxactps.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File created C:\Program Files\#DECRYPT MY FILES#.html C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\GroupPop.cab C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\COPYRIGHT C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadce.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jsound.dll C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe N/A
File opened for modification C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3193133307.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http212.227.175.227nc.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\41933479.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http204.44.86.164193.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\sysmysldrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\984329850.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http149.88.90.88az.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1913724727.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\temp2\Autoit3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\temp2\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\temp2\Autoit3.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1583029623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1583029623.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1583029623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1583029623.exe N/A
N/A N/A C:\Users\Admin\Windows Upgrade\wupgrdsv.exe N/A
N/A N/A C:\Users\Admin\Windows Upgrade\wupgrdsv.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Windows Upgrade\wupgrdsv.exe N/A
N/A N/A C:\Users\Admin\Windows Upgrade\wupgrdsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe N/A
N/A N/A \??\c:\temp2\Autoit3.exe N/A
N/A N/A \??\c:\temp2\Autoit3.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 6120 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
PID 4012 wrote to memory of 6120 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
PID 4012 wrote to memory of 6120 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
PID 4012 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe
PID 4012 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe
PID 4012 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
PID 4012 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
PID 4012 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
PID 4720 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe C:\Windows\sysmysldrv.exe
PID 4720 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe C:\Windows\sysmysldrv.exe
PID 4720 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe C:\Windows\sysmysldrv.exe
PID 1216 wrote to memory of 1336 N/A C:\Windows\sysmysldrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 1336 N/A C:\Windows\sysmysldrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 1336 N/A C:\Windows\sysmysldrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2484 N/A C:\Windows\sysmysldrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2484 N/A C:\Windows\sysmysldrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 2484 N/A C:\Windows\sysmysldrv.exe C:\Windows\SysWOW64\cmd.exe
PID 6120 wrote to memory of 5476 N/A C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe C:\Users\Admin\AppData\Local\Temp\984329850.exe
PID 6120 wrote to memory of 5476 N/A C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe C:\Users\Admin\AppData\Local\Temp\984329850.exe
PID 6120 wrote to memory of 5476 N/A C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe C:\Users\Admin\AppData\Local\Temp\984329850.exe
PID 2484 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1336 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 5172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 5172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2484 wrote to memory of 5172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 984 wrote to memory of 5132 N/A C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 984 wrote to memory of 5132 N/A C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 2424 N/A C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\3193133307.exe
PID 1216 wrote to memory of 2424 N/A C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\3193133307.exe
PID 1216 wrote to memory of 2424 N/A C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\3193133307.exe
PID 1216 wrote to memory of 5036 N/A C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\1913724727.exe
PID 1216 wrote to memory of 5036 N/A C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\1913724727.exe
PID 1216 wrote to memory of 5036 N/A C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\1913724727.exe
PID 1216 wrote to memory of 6140 N/A C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\41933479.exe
PID 1216 wrote to memory of 6140 N/A C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\41933479.exe
PID 1216 wrote to memory of 6140 N/A C:\Windows\sysmysldrv.exe C:\Users\Admin\AppData\Local\Temp\41933479.exe
PID 6140 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\41933479.exe C:\Users\Admin\AppData\Local\Temp\1583029623.exe
PID 6140 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\41933479.exe C:\Users\Admin\AppData\Local\Temp\1583029623.exe
PID 4012 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http172.245.189.30ds.exe.exe
PID 4012 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http172.245.189.30ds.exe.exe
PID 4012 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe
PID 4012 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe
PID 4012 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe
PID 4012 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe
PID 4012 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe
PID 4012 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe
PID 3600 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe
PID 3600 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe
PID 3600 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe
PID 4372 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"

C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe

"C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe"

C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

"C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"

C:\Windows\sysmysldrv.exe

C:\Windows\sysmysldrv.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS

C:\Users\Admin\AppData\Local\Temp\984329850.exe

C:\Users\Admin\AppData\Local\Temp\984329850.exe

C:\Windows\SysWOW64\sc.exe

sc stop UsoSvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"

C:\Windows\SysWOW64\sc.exe

sc stop WaaSMedicSvc

C:\Windows\SysWOW64\sc.exe

sc stop wuauserv

C:\Windows\SysWOW64\sc.exe

sc stop DoSvc

C:\Windows\SysWOW64\sc.exe

sc stop BITS

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'httpsfuncaptcha.ruhvnc.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'httpsfuncaptcha.ruhvnc.exe' -Value '"C:\Users\Admin\AppData\Roaming\httpsfuncaptcha.ruhvnc.exe.exe"' -PropertyType 'String'

C:\Users\Admin\AppData\Local\Temp\3193133307.exe

C:\Users\Admin\AppData\Local\Temp\3193133307.exe

C:\Users\Admin\AppData\Local\Temp\1913724727.exe

C:\Users\Admin\AppData\Local\Temp\1913724727.exe

C:\Users\Admin\AppData\Local\Temp\41933479.exe

C:\Users\Admin\AppData\Local\Temp\41933479.exe

C:\Users\Admin\AppData\Local\Temp\1583029623.exe

C:\Users\Admin\AppData\Local\Temp\1583029623.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe

"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }

C:\Users\Admin\AppData\Local\Temp\http172.245.189.30ds.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http172.245.189.30ds.exe.exe"

C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe"

C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe"

C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe" /F

C:\Users\Admin\AppData\Local\Temp\http149.88.90.88az.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http149.88.90.88az.exe.exe"

C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe"

C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe"

C:\Users\Admin\AppData\Local\Temp\http204.44.86.164193.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http204.44.86.164193.exe.exe"

C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\http45.144.3.216Decrypter.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http45.144.3.216Decrypter.exe.exe"

C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C sc delete VSS

C:\Windows\system32\sc.exe

sc delete VSS

C:\Users\Admin\AppData\Local\Temp\http212.227.175.227nc.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http212.227.175.227nc.exe.exe"

C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe"

C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe"

\??\c:\temp2\Autoit3.exe

"c:\temp2\Autoit3.exe" c:\temp2\script.a3x

\??\c:\windows\SysWOW64\cmd.exe

"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ebakkah\hadhebc

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic ComputerSystem get domain

C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe

"C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\tar.exe

tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\735401866380_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.130.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.66:80 twizt.net tcp
AE 77.242.250.36:443 tcp
DZ 197.115.102.247:443 tcp
CN 47.97.113.146:443 tcp
US 104.21.79.165:443 funcaptcha.ru tcp
RU 185.215.113.66:80 twizt.net tcp
HK 107.148.237.220:443 tcp
US 8.8.8.8:53 36.250.242.77.in-addr.arpa udp
HK 103.40.161.76:443 tcp
US 173.44.141.7:443 tcp
CN 62.234.18.252:443 tcp
CN 111.230.12.238:443 tcp
CN 8.134.11.7:443 tcp
CN 1.15.248.225:443 tcp
RU 185.215.113.66:80 twizt.net tcp
RU 185.215.113.66:80 twizt.net tcp
RU 185.215.113.66:80 twizt.net tcp
DE 45.11.229.96:56001 strompreis.ru tcp
RU 185.215.113.66:80 twizt.net tcp
CN 8.138.23.74:443 tcp
CN 47.97.114.109:443 tcp
RU 185.215.113.66:80 twizt.net tcp
SG 150.109.21.231:443 tcp
KR 210.114.11.173:443 tcp
CN 118.190.104.55:443 tcp
HK 83.229.127.20:443 tcp
HK 8.217.142.203:443 tcp
JP 47.91.14.8:443 tcp
HK 103.253.43.175:443 tcp
CN 47.97.79.97:443 tcp
CN 47.100.104.74:443 tcp
CN 124.222.43.134:443 tcp
RU 185.215.113.66:80 twizt.net tcp
DE 45.11.229.96:56002 strompreis.ru tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 44.223.138.151:443 tcp
HK 83.229.127.19:443 tcp
TM 91.202.233.141:80 tcp
US 104.160.18.203:443 tcp
CN 81.69.242.80:443 tcp
US 47.83.19.135:443 tcp
CN 119.91.61.117:443 tcp
TM 91.202.233.141:80 tcp
US 35.87.126.68:443 tcp
US 142.171.177.156:443 tcp
US 194.36.171.35:443 tcp
SG 47.245.94.124:443 tcp
US 8.8.8.8:53 156.177.171.142.in-addr.arpa udp
US 8.8.8.8:53 68.126.87.35.in-addr.arpa udp
TM 91.202.233.141:80 tcp
US 206.189.230.244:443 tcp
HK 103.97.179.151:443 tcp
US 34.44.155.8:443 tcp
CN 120.53.236.103:443 tcp
US 8.8.8.8:53 244.230.189.206.in-addr.arpa udp
US 24.199.120.22:443 tcp
JP 216.73.158.126:443 tcp
US 8.8.8.8:53 8.155.44.34.in-addr.arpa udp
US 172.86.114.26:443 tcp
CN 110.41.60.130:443 tcp
HK 8.217.222.41:443 tcp
SG 43.153.222.28:443 tcp
CN 124.221.111.211:443 tcp
TM 91.202.233.141:80 tcp
CN 59.110.136.135:443 tcp
CN 101.132.182.180:443 tcp
TM 91.202.233.141:80 tcp
US 20.72.235.82:80 www.update.microsoft.com tcp
CN 192.144.229.25:443 tcp
BA 77.221.27.219:40500 udp
RU 78.36.17.105:40500 tcp
CN 39.100.78.58:443 tcp
CN 43.138.20.107:443 tcp
RU 5.137.197.125:40500 udp
HK 38.147.171.167:443 tcp
CN 118.25.173.86:443 tcp
KZ 178.91.66.151:40500 udp
CN 47.93.166.228:443 tcp
CN 8.138.43.240:443 tcp
MX 189.173.0.44:40500 udp
KZ 213.211.109.33:40500 udp
CN 121.40.204.42:443 tcp
CN 101.43.198.94:443 tcp
CN 106.54.210.83:443 tcp
CN 111.229.187.212:443 tcp
EG 197.162.209.92:40500 udp
KZ 95.59.162.2:40500 tcp
KZ 2.135.246.18:40500 udp
CN 106.53.181.113:443 tcp
CN 49.232.157.82:443 tcp
KZ 95.57.155.114:40500 udp
KZ 89.218.234.2:40500 udp
SG 47.236.19.63:443 tcp
HK 47.76.230.250:443 tcp
CN 106.55.102.97:443 tcp
SG 8.152.170.232:443 tcp
US 23.26.137.34:443 tcp
US 172.245.53.132:443 tcp
CN 101.42.247.112:443 tcp
SG 119.8.162.77:443 tcp
UZ 195.158.22.13:40500 udp
US 8.8.8.8:53 13.22.158.195.in-addr.arpa udp
CN 112.126.77.173:443 tcp
US 167.172.131.182:443 tcp
KZ 2.135.207.165:40500 udp
KZ 84.240.195.243:40500 tcp
US 23.168.152.15:443 tcp
CN 119.45.230.77:443 tcp
CN 43.139.195.46:443 tcp
CN 111.230.61.6:443 tcp
IR 2.182.191.174:40500 udp
IR 5.232.168.223:40500 tcp
IR 188.212.237.201:40500 udp
CN 120.53.120.95:443 tcp
SG 47.236.74.146:443 tcp
KZ 147.30.175.81:40500 udp
CN 39.105.161.32:443 tcp
CN 49.232.137.101:443 tcp
UZ 213.230.69.54:40500 udp
CN 47.93.216.2:443 tcp
CN 101.201.54.74:443 tcp
BG 94.232.46.54:443 tcp
CN 110.40.138.5:443 tcp
KZ 2.134.186.252:40500 udp
US 103.143.248.179:80 103.143.248.179 tcp
NL 45.148.120.22:443 tcp
IR 93.119.79.237:40500 udp
KZ 213.211.109.33:40500 tcp
US 154.9.254.227:443 tcp
CN 116.62.169.135:443 tcp
HK 47.243.165.127:80 47.243.165.127 tcp
US 8.8.8.8:53 227.254.9.154.in-addr.arpa udp
CN 106.14.8.52:80 tcp
US 205.234.171.137:80 tcp
KZ 178.89.79.66:40500 udp
HK 156.255.2.100:80 156.255.2.100 tcp
NL 185.150.26.240:80 tcp
DZ 41.102.169.93:40500 udp
CN 47.109.106.162:80 tcp
JP 47.245.37.54:443 tcp
CN 124.71.136.141:80 tcp
US 74.48.147.144:443 tcp
KZ 2.133.69.160:40500 udp
YE 89.189.87.223:40500 udp
US 192.3.128.204:443 tcp
US 70.35.206.129:80 70.35.206.129 tcp
US 104.254.244.97:80 104.254.244.97 tcp
CA 149.248.59.118:80 tcp
KZ 92.47.86.254:40500 udp
DZ 105.111.44.67:40500 tcp
BY 178.124.145.4:40500 udp
KR 141.164.41.117:80 tcp
US 172.245.189.30:80 172.245.189.30 tcp
FR 194.59.30.59:80 tcp
FR 194.59.30.59:80 tcp
KZ 5.251.249.241:40500 udp
CI 160.155.209.135:40500 udp
RU 80.66.75.214:80 80.66.75.214 tcp
US 69.166.230.221:80 69.166.230.221 tcp
IR 217.219.185.45:40500 udp
US 8.8.8.8:53 214.75.66.80.in-addr.arpa udp
US 8.8.8.8:53 45.185.219.217.in-addr.arpa udp
US 149.88.90.88:80 149.88.90.88 tcp
RU 80.66.75.214:80 80.66.75.214 tcp
RU 80.66.75.214:80 80.66.75.214 tcp
RU 94.228.113.30:80 94.228.113.30 tcp
US 204.44.86.164:80 204.44.86.164 tcp
KZ 77.240.41.3:40500 udp
DE 77.91.66.70:80 tcp
CN 115.159.47.193:80 tcp
DE 77.91.66.70:80 tcp
UZ 217.30.162.37:40500 tcp
RU 45.151.62.96:80 45.151.62.96 tcp
NL 94.156.68.202:80 www.requimacofradian.site tcp
RU 45.144.3.216:80 45.144.3.216 tcp
DE 212.227.175.227:80 212.227.175.227 tcp
RU 45.150.25.234:40500 udp
HK 47.243.175.24:8444 47.243.175.24 tcp
CN 212.129.223.49:80 tcp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 145.111.160.34.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:56582 tcp
SG 118.194.233.185:80 118.194.233.185 tcp
CN 60.205.226.146:80 tcp
EG 45.242.57.22:40500 udp
RU 80.66.75.214:80 80.66.75.214 tcp
IR 217.218.196.230:40500 udp
RU 178.68.24.192:40500 udp
RU 80.66.75.214:80 80.66.75.214 tcp
CN 47.120.3.3:80 tcp
CN 115.159.47.193:80 tcp
CN 119.91.20.97:80 tcp
RU 93.123.145.179:40500 udp

Files

memory/4012-1-0x00007FFB305F3000-0x00007FFB305F5000-memory.dmp

memory/4012-0-0x0000019C163C0000-0x0000019C163CA000-memory.dmp

memory/4012-2-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

MD5 8d8e6c7952a9dc7c0c73911c4dbc5518
SHA1 9098da03b33b2c822065b49d5220359c275d5e94
SHA256 feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
SHA512 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe

MD5 7557af6f3185128c25aeb092dc335975
SHA1 f0866402529be2fdc0511305da069b69a8a35b8e
SHA256 5fcee9da2e237df74b7c2619bde63db40c92c2e6c51bd483c86f83dcdfde1eab
SHA512 de6375e57a674ac063aecd499d8b7ff01ebaaafb7352ce560a2468293b3d7f7b95a5ac53751728ef0578adcb5bf0518ce08f55cd7bd3edd1c13b0a4866301e9b

C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

MD5 be9388b42333b3d4e163b0ace699897b
SHA1 4e1109772eb9cb59c557380822166fe1664403bd
SHA256 d281e0a0f1e1073f2d290a7eb1f77bed4c210dbf83a0f4f4e22073f50faa843f
SHA512 5f887f1060b898c9a88745cde7cf509fdf42947ab8e5948b46c2df659468dc245b24d089bdbec0b314c40b83934698bf4b6feb8954e32810ff8f522aab0af19a

memory/984-28-0x000000001B140000-0x000000001B21C000-memory.dmp

memory/984-22-0x0000000000540000-0x00000000005B4000-memory.dmp

memory/984-58-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-96-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-94-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-93-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-90-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-88-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-86-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-84-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-82-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-80-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-78-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-74-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-72-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-69-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-132-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

memory/984-70-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

memory/984-76-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-67-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-65-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-63-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-61-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-59-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-55-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-53-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-51-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-49-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-47-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-45-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-41-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-39-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-37-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-35-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-33-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-43-0x000000001B140000-0x000000001B216000-memory.dmp

memory/984-32-0x000000001B140000-0x000000001B216000-memory.dmp

memory/4012-5425-0x00007FFB305F3000-0x00007FFB305F5000-memory.dmp

memory/3176-6301-0x0000000002E80000-0x0000000002EB6000-memory.dmp

memory/3176-6302-0x0000000005550000-0x0000000005B7A000-memory.dmp

memory/3176-6303-0x0000000005480000-0x00000000054A2000-memory.dmp

memory/3176-6304-0x0000000005D70000-0x0000000005DD6000-memory.dmp

memory/3176-6305-0x0000000005DE0000-0x0000000005E46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2pulqol.bkr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3176-6314-0x0000000005E50000-0x00000000061A7000-memory.dmp

memory/3176-6315-0x0000000006340000-0x000000000635E000-memory.dmp

memory/3176-6316-0x0000000006360000-0x00000000063AC000-memory.dmp

memory/5132-6320-0x000001EA5ABA0000-0x000001EA5ABC2000-memory.dmp

memory/3176-6330-0x000000006F230000-0x000000006F27C000-memory.dmp

memory/3176-6328-0x0000000007300000-0x0000000007334000-memory.dmp

memory/3176-6340-0x0000000006920000-0x000000000693E000-memory.dmp

memory/3176-6341-0x0000000007540000-0x00000000075E4000-memory.dmp

memory/3176-6344-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/3176-6345-0x00000000076A0000-0x00000000076BA000-memory.dmp

memory/3176-6346-0x0000000007700000-0x000000000770A000-memory.dmp

memory/3176-6347-0x0000000007910000-0x00000000079A6000-memory.dmp

memory/3176-6348-0x00000000078A0000-0x00000000078B1000-memory.dmp

memory/3176-6349-0x00000000078D0000-0x00000000078DE000-memory.dmp

memory/3176-6350-0x00000000078E0000-0x00000000078F5000-memory.dmp

memory/3176-6351-0x00000000079D0000-0x00000000079EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3193133307.exe

MD5 af0622340ed8ba48efa92e0b2d9aca7b
SHA1 77e7181b4d4e6957cf13ba37f590cf219aac88cb
SHA256 7b7d433c6c204ed3bcd1ea74106592edfa1a30b6ef7bbc3ed21efcbadc51e526
SHA512 e1368c1c292789115b51cae549bd2d484dbc614eb3e57aa5fce324385d28e9fbddf60064b4c88237b38cded294d090d07c491b646651c45bcd6235630d94ef46

memory/3176-6355-0x00000000079C0000-0x00000000079C8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c5832682c75483acded1910871ed32fb
SHA1 b50989ce07d133f85134f3649a3d5f119ded054a
SHA256 a2994d9d3701395c9bf6e3b9c4d981d48ec91cb4c362ab91bb478ee603d02524
SHA512 5789b50676315ebced61afed079c571538f7ffc40a1d7389f964d52c62ba5375c637af36487b87822c9d0c4a2e1f58a98d1d4f63e42dc0cddd98019304a9d307

memory/4012-6363-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

memory/984-6367-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41933479.exe

MD5 4fe8dc617311f7b6a4b8ebe0b1e24090
SHA1 2bd9341f17c8c0c62e56e1863b1d2f9c43cb30e5
SHA256 5016e413b0c563efc920165e7235c9f2706808877668bd297b41435acc7aade4
SHA512 910a12fbaffd45b0f797a95c6678a32c4a27adbb7d1474f183f8863d310d31fbba17d5d747da87ac4a30dd7cb22c67a4d1c25b302ef0c3f6954d91a459c692db

C:\Users\Admin\AppData\Local\Temp\1583029623.exe

MD5 41ab08c1955fce44bfd0c76a64d1945a
SHA1 2b9cb05f4de5d98c541d15175d7f0199cbdd0eea
SHA256 dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493
SHA512 38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 25506aa16cc8d6a53366ff2fca1422c0
SHA1 4c8ed062fa6c589797660798df5e68793ddbaa45
SHA256 73852c1215d9ef829fd689a5d709d6b5cf38ab3cfdbcc15f211d412a59b4dc71
SHA512 453ea8c9e850c07699c4c7769a17f90e219a90d28d0fd2a61e2a19d9744caaad4debbd817147f7bf09bdacaad36536947a50cb1b64c52513b0ec6484e490ed8c

C:\Users\Admin\AppData\Local\Temp\http103.143.248.17902.08.2022.exe.exe

MD5 45651e980f6a3f54d418f925ad5f855c
SHA1 569dd0f22dea8a802d01e23ac549472c30904c72
SHA256 ef3c15be4026eb4d3f9c168d52e38cbf2c1c2f10625d713f18521c0c6e62f927
SHA512 32966dd1f6ecfee6772ef3e5e2ea127bc4e8380be50f17dc7c7befc857b02c77edbd2c6dd98e09d549f53416cf92cb225e2aa7324b9c8c0e329a7092a36769cd

C:\Users\Admin\AppData\Local\Temp\http172.245.189.30ds.exe.exe

MD5 3b6b710da92a115329d00c5e55ad7671
SHA1 489b2c96417490fd15419c93b953334f93581d28
SHA256 60dd002cc2b269d41f167af937005bbf5f447df3997b4ecdf2397b9877d652ea
SHA512 6626804cacf522a9b33205a5ace276fc4de61f03a983ef5d35c8b0522b774ad48d0d58e431a07ca6089715482307b3974c5c87d65ff4ad3dd0a0008809e9578a

memory/3576-6431-0x0000000000490000-0x00000000007D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe

MD5 107c3b33e05d1d569cccc2052e56055e
SHA1 e843ffcb2d67ec5778a66abce8ee3d162831dd90
SHA256 6338b823d5172f0321814534c1d7aff08a60132c62de48c2752c2c7dfc191228
SHA512 86955fa11b16ffe0063fff9a57cca4c1afa8823fc6c78eaa1f23ba75182652ef55523160356017dabb61d570882f302e23f9dc8b288740588572d00666159f81

C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe

MD5 849c7ae770318ac09e0fde466e1becfe
SHA1 964328dce9404626ed5aaf9657b5a3aee93e4b86
SHA256 84e1d7ef0ab4497dcebb07087479a40b523745523a292cb2da040b686b537a3d
SHA512 0f702ddab102f1e358ce80e80ac7c6f8c034a0e90b279330e2af4b448752dd897bdd037a081d940244fbc35ddefe99b95b15e05e6fade8374788d5b4098933f8

memory/5944-6453-0x0000000000530000-0x0000000000624000-memory.dmp

memory/5944-6461-0x0000000005540000-0x0000000005AE6000-memory.dmp

memory/5944-6463-0x0000000005030000-0x00000000050C2000-memory.dmp

memory/5944-6466-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

memory/5944-6471-0x0000000005520000-0x0000000005538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\735401866380

MD5 2f09c5cf42377701ab98df521c528f52
SHA1 812847ee4f1edf590c60a4007830f5877d49225a
SHA256 9a77aed076b962b086787d3a10d5f4420bb99be45a561aff2e11cb52155e048f
SHA512 074786ae2a0f3ef0191a4de721bedd85d511ac12958186f76f8c8af5a5c573386eafdf6a1e935973f54ad63fe2a2bcce2cbfa3468e8f0ff59e5bf9ac768e7338

C:\Users\Admin\AppData\Local\Temp\http149.88.90.88az.exe.exe

MD5 b9fcbae32e294854e2507179d4acef1c
SHA1 88c7ae319270c49e2c6610e22bb54beaab533a10
SHA256 5ee6cfb7dd10f7fecf03d515c60c8e319920ec1b99e9835f4fbcba8caa4b924c
SHA512 ffd16a836c93485d71689884f1b9b114126d1f4bf3e070eeb1e6613b5337bfb19028bfe62b0339c0a38c3091cf8f1eaf286989f49b503ee06752000d85b49b99

C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\ProgramData\AMMYY\settings3.bin

MD5 cd54c0c946d86c8c47066629b45d990f
SHA1 7762473896d6b8b361b9af116de81449ba685933
SHA256 6fd1c5b15e6d333c8a86f2e995e280b94dbda3ab6ad75214a81e15b42debe89d
SHA512 c386f9926a6f5de6183ad77e900d62cf08e919d299288417650a88ce4d242c086b8cccd49483309c06309ff04d1fdf5b6469a14f7c34f2209a5b2a6f155a4168

C:\Users\Admin\AppData\Local\Temp\http204.44.86.164193.exe.exe

MD5 5a5ccdbe3cdd135a57f61138867932a8
SHA1 172d5e86ce1862559546300816bcf7d2c749b4eb
SHA256 22f91304b04da17a6cb89365ddd5ad39b7bcb6fcf8d82a027381bb97e4ecb217
SHA512 b6ee3d40390fa49853522f73357264226dbca907de27da378b22702190d31ad3b9e65ba3dfb345470d380d34ebd22453a101e834a1ef123badf3a27f92079f20

C:\Users\Admin\AppData\Local\Temp\httpwww.requimacofradian.sitedfjbhskdbfvsdsfgshbzdjgbsdzjkngdsnhgtuonidsgtsgbneio.exe.exe

MD5 be10a486476ff1b75aac24a2322b97e5
SHA1 acb826f0e791cfc9708321081ce319d25f8c96d5
SHA256 ff63115c8ec3b35918cc9764fccdeb6bc455d76a15bce3890a3f59c265caf5bc
SHA512 f123c06ff39dfac2bf4f2b9079325c05125d0be1369e03eab2ad2d491cebc7583f6ec2937c3429600fa4e26b1d2dd3d556076daa9c5186c0ed7b6371fcb4e2c2

C:\Users\Admin\AppData\Local\Temp\http45.144.3.216Decrypter.exe.exe

MD5 b03ce4cfe39b75ae65567c7f8632a7d2
SHA1 8aa8846466b0c74600b7061d15418735d2920b41
SHA256 5a7ec27a0871b8bbfbe2bda738df793d1152b7cd7004dbb1197cfe88ba08a68a
SHA512 16d6ff069cf604ae5cbacaff94e8848ea6475c3003af99c7bf8f4e0ca1bb2aa75a81da996fb4d6ba04f9a7d063994564a7fb1858fb2603ab137c1ab531150993

memory/5748-6532-0x0000000000E50000-0x0000000000E5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe

MD5 0f73677af37f11c406ca9f726653eb54
SHA1 c4281c3305f659b605b99888b7d7e8a7c33a65e7
SHA256 5e61a0765cbde4f5d7d66d422ab23c19047c4f600c0f953a1057243ce377bd97
SHA512 9d3ee432da9bb6f67f08995678ae7139d1ed5dc5b7646f0a0d46fe852f1f7d64095e62ee6b949bda15dc21a4aea47ef363c3e72034ffd663ad15434f9ab79c8c

memory/5752-6544-0x0000000000640000-0x000000000064C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\http212.227.175.227nc.exe.exe

MD5 e0fb946c00b140693e3cf5de258c22a1
SHA1 57f0839433234285cc9df96198a6ca58248a4707
SHA256 be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b
SHA512 d4c8878e04751bba3167e97e84d0768cd85a2f95a6be19340f2d1f894f555c1e10d01eec399c356c0ed03f25bc2fcbc575095e85dfdd2f896a9d32ec8bbaaee0

C:\Users\Admin\AppData\Local\Temp\1583029623.exe

MD5 785465df7556fcd25018bc946881db0b
SHA1 affe7ffc8eef7d8f8da2ca5a9c8a6ba0e4b40608
SHA256 b5f14a016d516f476a7e204aa21f118aedb7e5b950c5820b74a31eec4a2dd14a
SHA512 4c27a0aae22ad880aa236aa6742e5d0970b10ecd07b516e701eb51409f4e668aea80dc325366d5f582cf64b5318a79bf57066bdd628ac6ab2a76aa13939332e7

C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe

MD5 fc99ddf185aa553bf30c431cc897c903
SHA1 72c3ae0ed953a4ed3a5d1d8e3957f530c952f48d
SHA256 48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939
SHA512 0be1916e9f0fa3ff2282bbfc23ac9c5f19c15c17f5e0e6aa68edea3db7b780c53f473d40292f0ed324596996572917dfe584cc2d989773c77ee489b643dd2e46

C:\Users\Admin\AppData\Local\Temp\httpwww.requimacofradian.sitedfjbhskdbfvsdsfgshbzdjgbsdzjkngdsnhgtuonidsgtsgbneio.exe.exe

MD5 aebfc779285617af2b7a809a3a0d4c66
SHA1 bc0e3398c17b39d3d3af80fafa4b62330d4dce05
SHA256 56e2fc0004dc0ad14290148ff2e6e9619eaadc2570df9256429dc5cd771b4a71
SHA512 0baa4d66a1563fcbf333215f9579e1bba609e5cda33d4bc355ddd26a67a7b7ea9f54df1e974cfb96897654a7beb7db2aa2d86e818a7f5d3fb72dbf78e7260f62

C:\Users\Admin\AppData\Local\Temp\http103.143.248.17902.08.2022.exe.exe

MD5 b25f9a4481cdce7d7a105264b1ce0822
SHA1 b469290a256b8afd31325620fafbdd5499d7a155
SHA256 b5514b6f88020eeb0fc7866e5e88d78f3ba8213817786125de5b94cf578a4ac5
SHA512 f87d6749602b8be9a76203cc83f4a57fb89acfd8e6fa3e3b62d43f17fbec58c6f979adfc73fca418864a6a0d6a066dae8f076ea3b3d2798e20bba7f2a876fbd0

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\#DECRYPT MY FILES#.html

MD5 9e9344136e6282d23475ed3de4d67b0a
SHA1 b3fbe23e4f6a0f26ed5bfd333e76c09ec525d504
SHA256 5e795805000f3961c120758bf2ed67ddc685967eba97cd6ef401bed49cbb31d6
SHA512 602173fcb273d4f96fffb3562b4a4a0489e6bbd9e068d7c62778539b3a66f896ff6c032f0520ef52b4e4c9c75dd4955c23030d7dbf3ee3eacbfc140163a9d948

C:\vcredist2010_x86.log.html

MD5 0cb828491751b309e4e77b715b1ed233
SHA1 17c3c57533f149d904e9b3401e688f48bbd4eaed
SHA256 e9dd177a34890c67769cfad520f974f8ad16bc2ef46b8a7f702b917b6b29249b
SHA512 aa6967b891d18c7172e3c834ada2efd93a9138e4e1705373aa0ee95436d8a295ad8d9eda9a2699beb5901559a993f67370154579281ee7f37558ef460da0ae5e

C:\$Recycle.Bin\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini

MD5 ea2c5bf38fe79e56c8052eb30cba38eb
SHA1 b63ab817bc40e50a52c60ca13302d0fe88628297
SHA256 4dba9bef8575f71e60b0a95fb6aa0782b6eb734a93c7356c6514b4300eb1623f
SHA512 d558383d5b04c5b918475df57636d641bf0afb169b08e0ea5d6b41d4db2f3b7e3a0b9536926f65d0fd1da9487e2f37e6e7167c56b2092a558af9d274a8be6d41

C:\temp2\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

\??\c:\temp2\script.a3x

MD5 2e861f2d8c1dbb17adfad1553493a14a
SHA1 77fdca0697900729755386d00fe89240ceb97f7f
SHA256 f8a9100f6fe719f091cdb4115b43f53d4b6c11eb51ea667fd57af81556067bcb
SHA512 55f571e4a51f10d8c83e9b157685bdadf7d73df2849700cfbfb4aa82314320c84a35b678a6566cf17f2c115f37aaa6bf22c9edfc745517b4493cd68fc4f64cdc

memory/5944-7045-0x0000000006220000-0x0000000006236000-memory.dmp

memory/5944-7042-0x0000000006210000-0x000000000621E000-memory.dmp

memory/5944-7109-0x000000000A290000-0x000000000A31E000-memory.dmp

memory/5944-7132-0x0000000007C30000-0x0000000007CCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\http47.243.175.24844402.08.2022.exe.exe

MD5 fd0cc314b3b6c692e63fc63b0866adf2
SHA1 fedbba479a4c59890f29b3b65bfff521b958863f
SHA256 feb6cc935bd09e25dbd36f82eecdc0a31b957a62552e0fd2b95da6331c652f07
SHA512 142cac691540066873536d28a80d0f51c2320d9546e1c69820e0018c802ed2e7eca4808edd1d37bc460af3065c371a4e2ad317239cda479102987b605be3750e

C:\ProgramData\ebakkah\hadhebc

MD5 c8bbad190eaaa9755c8dfb1573984d81
SHA1 17ad91294403223fde66f687450545a2bad72af5
SHA256 7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA512 05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

C:\Users\Admin\AppData\Local\Temp\http118.194.233.18502.08.2022.exe.exe

MD5 4374e3d876579fbcbf3618a9c11da321
SHA1 0c9ff3458d52e01e2010b37b4aab749369995b28
SHA256 c452d6315b15b90d2da8c343279d2ec01ae698ec5f3f60df8fdf611682342a9a
SHA512 806e441fa8fb6e70a8330f0a002f9a20b46d20239a03e11035c9703c1bc77d683d4b4c6f6d3f523c21b8ffafc783e6f541f6e6e8627ed0eaac2c0983d904111f

C:\Users\Admin\AppData\Roaming\110809d565579c\cred64.dll

MD5 c7612ef960097ff466e641c7fe0cd5d3
SHA1 06849181c7ed4a8b44440f66583e6d1c11308916
SHA256 4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486
SHA512 f812f7d07b5977e09b56c1ed5deff4c7be4546627100a66bbebe1163a9d54634375686bcb0265b8c14384719e356202bc922119883bcc2f97b03c07714f7ba25

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll

MD5 c4b84b603e8d2654bd520b27f18dbfdb
SHA1 8cb99e208fb23ba5f3c21a624ce050e31bd60d27
SHA256 a45674c1672719b1e3a96211869c0b194b23083c1022b1cdd1cb1a209aa90579
SHA512 f71e3dff9b18259c12c5fc3303e8606d219ced642dd704a7b09f907ac8e7540a9e704085760112141eb617e7e8e46fb4ca43a4c0ab701d83883f01a0154f2a17

C:\Users\Admin\AppData\Local\Temp\_Files_\RevokeInstall.xlsx

MD5 d13174eaff657ace486a67e47461253a
SHA1 b48c26807bc7c7e34d44f0dfeea6c7fbc0b16bae
SHA256 aa3729d1249162255ccae1abdcd63802b88a0b6b06c24e3a42f2180117c6b1ec
SHA512 603e95764e13e96505872075394837def58e5dcaff58bf176e4845ea1b27911b53dfbc978d5c32cd21cb305d135b3f7beee5f3fe94f29f1190431123838a8db3

C:\Users\Admin\AppData\Local\Temp\735401866380_Desktop.tar

MD5 e48b66b8fd93ec30b06b3e3b2313d280
SHA1 a0c28266a880afb170281f198d8c7053c51d9f16
SHA256 404179400295af3fed129f509a27a93946f75920212aeea022b9b9b01441a465
SHA512 dac3e36246b606b7c67bf7f799e82192cafdd248308d24378b6e4351c32926dc85ced57a3aeaae2c0f09e7f638492a6c4caeb4f10d49b0100ad3649ed3a3428d

C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll

MD5 d76f10fd765a93fe82e98a40929c43c5
SHA1 684f45152dd0d462e93dffd32ce84fc3be66ac5b
SHA256 2c8d3cacbe435eadc29e26a7cdb0972bed8f5002509976d544782e0a32d8a363
SHA512 b6969be6bd902b4d041193ffa95df6313761da1b6274a653cd06a90547ae51b3faedbd4ab32b16726b1896ed47cfa405dbce483b1b0a056f495323e8eeb18665

C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll

MD5 3ac410966dd6f23e82e426c30ca1f9cb
SHA1 876c391b17be28332f5ab3e4dc3844c796376ea6
SHA256 f65e4bec3b37a5ae07323f112d32f8a374d0f258a8839772f0b445b18fe0d89d
SHA512 cb9a6db229babc609f000a6d75a285e69c61ede52fa10e3dc17e4abfa5af2780c9f85879675868a01f105011e6bfbe2f96c2d5899e68481b7b41a76d35c58671

C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll

MD5 26356288cbc786b2aafc237b654b248a
SHA1 8d3f94a37e8b9ecf999e3a60cff75b29b16f7aaf
SHA256 da1c8d6ecebc790a6ac10c38dc32b2e516cbee3e31ab5cf5b70099c910f04103
SHA512 05a4d26a8cf3b7313e5b2e69f28480f1df7679f98bbbd7dc32f7337ba55eb65e10aa8b357e7af622f3dbdaac7b82b4c9a0b788aeb55ba7ac1545fa205315ffb5

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 73ea49b519f5c8cce61d7e341752927e
SHA1 fc6604223564ea017d3e066a9c52ad645c205314
SHA256 cae4ef1134508e13639d8a674b9561eebf8ce2dff289774183c537184faffd83
SHA512 41233f820ce9d2a23cb2061bff88e21119c95c1ce7f989690fcde6d0dadff9593f11ba271a84d1563f66242fa27cfed00145054a335dc641dbd0dce580bc8c8a

C:\Users\Admin\AppData\Roaming\110809d565579c\clip64.dll

MD5 83a532c46261758c3d74cc11fc0f20ef
SHA1 eb3827d8cdf46f80241eac73da136a5d72b5d301
SHA256 8813a622ec13533542655e87e56d5746332d3df3dcdb6c2a993a8d2b21e2583d
SHA512 74c6204d41741c38471753501b0b34323c086ad4ff00650260b92093e749d1e697e6d5c643f1e02548b6aea28b22b89fb9d291e666656071d82e10c29252b50c

C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll

MD5 48f6300b1759d6e6febbe4f6757a8135
SHA1 3045d352b5d5ae72c01bb51490b342cea7781acc
SHA256 8037f014489b83899bb23261bc1c6f6ce468549c5aca5df302baff172a325436
SHA512 dd845d9d2f3ac1dee11913a63363a9c8e1b027649830d2fa0d9ebc96fd841771671adb74aebae9cf06a49e1cf68ce123d174fd4654f8366230d696f007fcfa02

C:\Program Files\Microsoft Office\root\Office16\concrt140.dll

MD5 44b35b40b3d5e507e4306c9cce995d2d
SHA1 8470a48a8faa58f000010f3b813e21ffab5bba42
SHA256 26f53eb8c6a5b774952f83dc000732ea8ced7dfea77433648ae1a6458e7092b3
SHA512 46a82cbcdba55add17e26c19b8c12c985ce6577a453dcf706c3e561e6c0362b428a2d86c0b678117081743cde482ab2abc9c28f7f84bf5813c7e2cccecb0a798

C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms

MD5 3c5d298c4f56dda0428f4152a4fc6d46
SHA1 3e04be6968237fcb10855e13fa350ec5b218805e
SHA256 49987d8d88d20cb4a3e4a1049cfedd50a224777e5f8b40f9f1e630bb8157effd
SHA512 d6064da4f818e5e32c3879f6183c3e9699637bef9dd53797ab17bcc4202f146b4cf3749145ea89ae2eba11e2af0318f08c7e31c88911e2c79ace7d4e30e19a69

C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll

MD5 2967453cbef30daf95ba57bc0ea808c4
SHA1 cc86cd699bdfb07a90d201fa5b17789dc0e51dd4
SHA256 6b49249221a91338cc0c6743ba68c75a76f7842f77efb02385eeba0f9494a2e6
SHA512 7ce5b73b71b41ce88620b6233d76dde3335174782e6413d9634bf37960f69ce2502263cbea27608c6e4eeb0f8d2308c44e9cef03aee96855bb0e679e61199f40