Malware Analysis Report

2024-11-13 16:39

Sample ID 241109-clzqesveqq
Target 047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a
SHA256 047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a
Tags
purecrypter redline new discovery downloader infostealer loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a

Threat Level: Known bad

The file 047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a was found to be: Known bad.

Malicious Activity Summary

purecrypter redline new discovery downloader infostealer loader

Purecrypter family

Redline family

RedLine

Detect PureCrypter injector

RedLine payload

PureCrypter

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 02:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 02:10

Reported

2024-11-09 02:13

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Purecrypter family

purecrypter

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4600 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 4600 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 4600 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 4600 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 4600 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 4600 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 4600 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 4600 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe

"C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe

C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp

Files

memory/4600-0-0x000000007480E000-0x000000007480F000-memory.dmp

memory/4600-1-0x00000000005D0000-0x0000000000868000-memory.dmp

memory/4600-2-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4600-3-0x00000000051B0000-0x000000000542A000-memory.dmp

memory/4600-13-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-21-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-47-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-51-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-67-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-65-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-63-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-62-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-59-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-57-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-55-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-53-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-49-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-45-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-43-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-41-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-39-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-37-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-33-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-31-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-29-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-27-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-25-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-35-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-23-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-19-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-17-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-15-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-11-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-9-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-7-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-4-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-5-0x00000000051B0000-0x0000000005424000-memory.dmp

memory/4600-2531-0x000000007480E000-0x000000007480F000-memory.dmp

memory/4600-2943-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4600-10194-0x00000000057F0000-0x0000000005812000-memory.dmp

memory/4600-10195-0x0000000005BC0000-0x0000000005F14000-memory.dmp

memory/1544-10196-0x00000000029C0000-0x00000000029F6000-memory.dmp

memory/1544-10197-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/1544-10199-0x0000000005360000-0x0000000005988000-memory.dmp

memory/1544-10198-0x0000000074800000-0x0000000074FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4icjdor.z0u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1544-10201-0x0000000005990000-0x00000000059F6000-memory.dmp

memory/1544-10200-0x0000000005210000-0x0000000005276000-memory.dmp

memory/1544-10211-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

memory/1544-10212-0x0000000005FE0000-0x000000000602C000-memory.dmp

memory/1544-10213-0x00000000075F0000-0x0000000007C6A000-memory.dmp

memory/1544-10214-0x00000000064C0000-0x00000000064DA000-memory.dmp

memory/1544-10215-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/1544-10219-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4600-10220-0x0000000005920000-0x000000000596C000-memory.dmp

memory/2012-10224-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2012-10225-0x0000000074800000-0x0000000074FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe.log

MD5 c61622c508fb5668245f178cd2f9da9e
SHA1 7f5476c0bf937674de3724629db92ab932b5e690
SHA256 150522caec3cb958b51d267dca946b3449fe21a5bd12eee64b4f8fe8029fa877
SHA512 38d21503a249be8b36f4424c8378ef2f68b4f8497f110ec332a5024f4f67b8b5f26cfdcda8d4fa5373fd587f951d5c82e6880d7884caefc6ebf6d1565edf1a48

memory/4600-10226-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/2012-10227-0x0000000005B30000-0x0000000006148000-memory.dmp

memory/2012-10228-0x0000000005640000-0x000000000574A000-memory.dmp

memory/2012-10229-0x0000000005570000-0x0000000005582000-memory.dmp

memory/2012-10230-0x0000000005750000-0x000000000578C000-memory.dmp

memory/2012-10231-0x0000000005590000-0x00000000055DC000-memory.dmp

memory/2012-10232-0x0000000074800000-0x0000000074FB0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 02:10

Reported

2024-11-09 02:13

Platform

win7-20241023-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Purecrypter family

purecrypter

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe
PID 2816 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe

"C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe

C:\Users\Admin\AppData\Local\Temp\047528fe2e0b207d93b51f21109eea05ece9bec290c8ddf22a09301bf262735a.exe

Network

Country Destination Domain Proto
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp
DE 194.87.71.146:49144 tcp

Files

memory/2816-0-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

memory/2816-1-0x00000000011F0000-0x0000000001488000-memory.dmp

memory/2816-2-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/2816-3-0x0000000004E40000-0x00000000050BA000-memory.dmp

memory/2816-7-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-4-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-25-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-31-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-5-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-37-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-9-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-11-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-13-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-15-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-17-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-29-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-35-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-33-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-27-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-23-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-21-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-19-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-39-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-43-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-41-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-51-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-61-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-57-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-67-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-65-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-63-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-59-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-55-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-53-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-49-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-47-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2816-45-0x0000000004E40000-0x00000000050B4000-memory.dmp

memory/2956-10194-0x0000000002A90000-0x0000000002AD0000-memory.dmp

memory/2816-10195-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

memory/2816-10196-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/2956-10197-0x0000000002A90000-0x0000000002AD0000-memory.dmp

memory/2816-10198-0x0000000000E40000-0x0000000000E8C000-memory.dmp

memory/2816-10212-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/2212-10211-0x0000000000400000-0x0000000000432000-memory.dmp