Malware Analysis Report

2024-12-01 03:11

Sample ID 241111-vph6ysscjk
Target re-yang-win.exe
SHA256 08a04b950c6031066e2e4ad246b25baef1c48c6227a75060e4ca6cbf440a629b
Tags
collection spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

08a04b950c6031066e2e4ad246b25baef1c48c6227a75060e4ca6cbf440a629b

Threat Level: Shows suspicious behavior

The file re-yang-win.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection spyware stealer

Loads dropped DLL

Checks computer location settings

Clipboard Data

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 17:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 17:09

Reported

2024-11-11 17:13

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe

"C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 17:09

Reported

2024-11-11 17:11

Platform

win10v2004-20241007-en

Max time kernel

75s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1376 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 396 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 396 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 2672 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 976 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4324 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4020 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 1904 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 3852 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 1440 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 3376 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe

"C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 api.proxyscrape.com udp
US 8.8.8.8:53 openproxylist.xyz udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 104.18.10.5:443 api.proxyscrape.com tcp
US 104.18.10.5:443 api.proxyscrape.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 104.18.10.5:443 api.proxyscrape.com tcp
US 172.67.150.208:443 openproxylist.xyz tcp
US 172.67.150.208:443 openproxylist.xyz tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 104.18.10.5:443 api.proxyscrape.com tcp
US 172.67.150.208:443 openproxylist.xyz tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
TH 134.236.19.94:4145 tcp
VN 27.77.228.212:1080 discordapp.com tcp
US 167.71.250.32:60319 tcp
CO 190.144.112.227:8080 tcp
ID 103.40.121.31:8087 tcp
HK 49.0.253.51:80 discordapp.com tcp
US 72.210.252.137:4145 tcp
IN 103.155.54.237:83 tcp
ID 43.252.236.114:1080 tcp
UA 212.3.104.126:8080 tcp
NL 217.100.18.204:8080 tcp
VE 138.122.6.91:999 tcp
TH 61.7.175.244:8080 tcp
US 198.12.255.193:63761 tcp
US 64.227.106.157:80 tcp
GB 8.208.90.194:9090 discordapp.com tcp
US 154.202.116.68:3128 tcp
FR 141.94.174.6:57470 tcp
EC 45.236.168.169:999 tcp
US 8.8.8.8:53 discordapp.com udp
CO 186.86.143.161:999 tcp
TH 110.77.184.98:4145 tcp
US 162.214.201.57:19268 tcp
AR 201.234.24.1:4153 tcp
CL 45.170.102.1:999 tcp
NL 145.40.97.148:10002 tcp
RU 178.49.22.23:1080 tcp
MX 45.189.236.6:999 tcp
ID 103.247.14.37:8199 tcp
ZA 105.29.93.193:4145 tcp
FR 5.196.101.18:3128 tcp
PT 2.83.198.171:80 tcp
US 50.63.12.33:52814 tcp
FR 13.37.59.99:80 tcp
SG 139.162.36.133:1234 tcp
ID 103.175.224.93:4444 tcp
ID 103.178.194.9:1111 tcp
ID 115.124.69.166:3128 tcp
FR 212.47.250.252:16379 tcp
US 162.240.208.185:51733 tcp
RU 79.122.230.20:8080 tcp
CN 218.78.65.202:6688 tcp
TR 188.132.221.54:8080 tcp
CZ 95.80.253.77:33333 tcp
NL 188.166.56.246:80 tcp
SG 8.219.238.209:15673 tcp
JP 8.221.141.88:9080 tcp
ID 103.154.230.103:5678 tcp
HK 43.128.62.125:23642 tcp
US 67.43.42.117:8080 tcp
ES 82.223.102.92:9443 tcp
AT 213.33.2.28:80 tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 5.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 208.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 99.59.37.13.in-addr.arpa udp
US 8.8.8.8:53 212.228.77.27.in-addr.arpa udp
US 8.8.8.8:53 33.12.63.50.in-addr.arpa udp
US 8.8.8.8:53 51.253.0.49.in-addr.arpa udp
US 8.8.8.8:53 88.141.221.8.in-addr.arpa udp
NL 145.40.97.148:443 discordapp.com tcp
VN 113.160.132.33:8080 discordapp.com tcp
US 8.8.8.8:53 194.90.208.8.in-addr.arpa udp
US 8.8.8.8:53 148.97.40.145.in-addr.arpa udp
PY 181.78.95.48:999 tcp
UA 176.120.32.135:5678 tcp
US 154.202.116.18:3128 tcp
VN 222.252.194.204:8080 discordapp.com tcp
VN 103.82.37.239:3128 tcp
MY 47.250.177.202:8080 discordapp.com tcp
US 67.205.190.164:8080 tcp
IT 109.73.181.133:4145 tcp
US 8.8.8.8:53 33.132.160.113.in-addr.arpa udp
US 8.8.8.8:53 202.177.250.47.in-addr.arpa udp
HK 47.243.114.192:8180 tcp
US 47.88.11.3:81 tcp
US 64.92.82.58:8080 tcp
MY 47.250.177.202:8080 api.ipify.org tcp
US 8.8.8.8:53 192.114.243.47.in-addr.arpa udp
US 8.8.8.8:53 204.194.252.222.in-addr.arpa udp
US 8.8.8.8:53 3.11.88.47.in-addr.arpa udp
BR 177.66.52.195:44102 tcp
US 192.252.214.20:15864 tcp
ID 36.64.5.162:5678 tcp
HK 47.238.60.156:3128 tcp
US 8.8.8.8:53 20.214.252.192.in-addr.arpa udp
US 8.8.8.8:53 246.56.166.188.in-addr.arpa udp
US 8.8.8.8:53 161.143.86.186.in-addr.arpa udp
KR 211.223.89.176:56998 tcp
US 8.8.8.8:53 156.60.238.47.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BR 45.6.95.68:4153 tcp
BD 103.114.10.234:8080 tcp
BR 20.206.106.192:80 tcp
PH 124.106.173.56:8082 tcp
KR 222.111.18.67:80 tcp
UA 94.158.155.138:54698 tcp
CL 45.230.49.2:999 tcp
ID 103.191.165.202:8080 tcp
CA 72.10.160.94:23703 tcp
US 92.112.202.130:6714 discordapp.com tcp
FR 178.32.121.183:8080 tcp
VE 200.109.66.90:4153 tcp
NL 13.81.217.201:80 tcp
GB 178.128.172.154:3128 tcp
BD 115.127.79.234:8080 tcp
TH 202.139.198.15:3060 tcp
US 157.230.177.47:7497 tcp
SG 185.217.5.3:80 tcp
CN 120.26.52.35:8081 tcp
US 67.43.37.76:8118 tcp
CA 104.207.42.188:3128 tcp
US 38.127.172.16:45801 tcp
ID 103.4.167.69:8080 tcp
TZ 41.59.90.171:80 tcp
BD 103.231.239.166:58080 tcp
SG 8.219.5.240:8118 tcp
US 8.8.8.8:53 76.37.43.67.in-addr.arpa udp
US 8.8.8.8:53 188.42.207.104.in-addr.arpa udp
US 8.8.8.8:53 130.202.112.92.in-addr.arpa udp
PE 200.123.15.125:999 tcp
BR 45.234.100.102:1080 tcp
LU 104.244.75.78:31534 tcp
IN 103.209.88.72:8080 tcp
US 8.8.8.8:53 240.5.219.8.in-addr.arpa udp
US 8.8.8.8:53 78.75.244.104.in-addr.arpa udp
TH 49.0.199.132:8089 tcp
CA 72.10.160.171:26735 tcp
CN 114.226.31.226:1080 tcp
ID 103.242.104.242:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 132.199.0.49.in-addr.arpa udp
NL 165.225.240.95:10605 tcp
CO 168.90.13.162:999 tcp
MK 79.125.195.102:5678 tcp
US 205.207.102.209:8282 tcp
CO 190.7.138.78:80 tcp
ID 103.146.197.43:4996 tcp
IR 2.176.206.3:8080 tcp
CN 121.37.207.154:3127 tcp
CO 190.145.120.182:5678 tcp
TW 106.105.118.250:80 tcp
CO 45.162.82.244:8080 tcp
TH 118.173.230.19:1080 tcp
CO 170.239.205.74:8080 tcp
CN 39.107.89.178:80 tcp
US 8.8.8.8:53 171.90.59.41.in-addr.arpa udp
RU 185.112.224.151:1080 tcp
FR 46.105.35.193:8080 tcp
US 167.172.159.43:49633 tcp
BO 200.58.87.195:8080 tcp
TH 110.238.116.82:1080 discordapp.com tcp
ID 36.64.86.27:8080 tcp
ID 43.225.66.185:8080 tcp
IN 103.243.114.206:8080 tcp
US 63.141.128.163:80 tcp
GR 195.130.115.208:33333 tcp
RU 79.173.75.182:3629 tcp
GB 104.249.29.73:5766 tcp
US 50.204.219.226:80 tcp
CM 41.77.210.210:80 tcp
IR 91.108.132.142:8080 tcp
US 8.8.8.8:53 82.116.238.110.in-addr.arpa udp
US 8.8.8.8:53 163.128.141.63.in-addr.arpa udp
US 8.8.8.8:53 73.29.249.104.in-addr.arpa udp
MX 45.175.238.0:999 tcp
CN 58.209.139.191:8089 tcp
IN 103.6.184.222:39241 tcp
JP 61.118.38.234:60808 discordapp.com tcp
DE 173.249.47.186:27204 tcp
TW 211.22.151.163:60808 tcp
ID 103.131.104.125:10800 tcp
CA 67.43.227.228:17003 tcp
US 89.117.130.19:80 discordapp.com tcp
BR 187.62.64.155:45005 tcp
BR 187.86.132.146:8080 tcp
ID 43.252.237.98:4145 tcp
HK 47.243.124.21:9091 tcp
ZA 41.21.182.179:5678 tcp
US 8.8.8.8:53 21.124.243.47.in-addr.arpa udp
US 8.8.8.8:53 179.182.21.41.in-addr.arpa udp
RS 89.216.52.217:4153 tcp
DO 181.37.240.89:999 tcp
SG 34.87.84.105:80 tcp
ZA 41.21.182.179:5678 tcp
TH 1.179.144.41:8080 tcp
RU 62.33.207.201:80 tcp
PH 143.44.191.108:8080 tcp
HN 179.49.112.134:999 tcp
PR 192.254.106.89:999 tcp
IT 37.207.45.15:48678 tcp
MX 177.241.233.10:999 tcp
CN 114.226.31.226:1080 tcp
FR 51.15.212.207:16379 tcp
US 8.8.8.8:53 234.38.118.61.in-addr.arpa udp
KE 41.139.234.127:8080 tcp
CA 158.51.210.75:8888 tcp
DE 213.136.75.65:9761 tcp
IR 193.176.242.186:80 tcp
RU 212.33.248.45:1080 tcp
ID 103.217.217.190:8080 discordapp.com tcp
GB 217.69.126.221:6091 tcp
US 8.8.8.8:53 221.126.69.217.in-addr.arpa udp
BR 170.78.94.200:5678 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 19.130.117.89.in-addr.arpa udp
SE 130.255.160.238:4243 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
IT 34.154.161.152:80 tcp
CA 104.207.58.127:3128 discordapp.com tcp
US 154.214.1.160:3128 discordapp.com tcp
CA 67.43.236.22:22079 tcp
IQ 45.81.144.23:8080 tcp
PK 210.56.2.106:8080 tcp
AR 181.88.73.150:5678 tcp
TH 110.164.175.110:8080 tcp
US 8.8.8.8:53 190.217.217.103.in-addr.arpa udp
US 8.8.8.8:53 127.58.207.104.in-addr.arpa udp
US 8.8.8.8:53 160.1.214.154.in-addr.arpa udp
US 12.218.209.130:13326 tcp
US 63.143.57.117:80 tcp
US 184.178.172.25:15291 discordapp.com tcp
CN 122.9.4.213:80 tcp
TH 165.154.232.175:14051 tcp
CO 177.93.33.92:999 tcp
DE 3.71.239.218:80 discordapp.com tcp
CN 113.225.137.246:7891 tcp
US 23.81.127.76:8118 tcp
CA 67.43.236.20:23977 tcp
CA 104.207.46.15:3128 tcp
IN 47.247.218.29:3129 discordapp.com tcp
PL 185.49.31.205:8080 discordapp.com tcp
NG 41.184.212.3:4153 tcp
LT 46.36.70.104:46964 tcp
IN 103.78.171.10:83 tcp
PL 185.49.31.205:8080 discordapp.com tcp
FI 65.108.9.181:80 tcp
CA 67.43.227.228:29789 tcp
PL 185.49.31.205:8080 discordapp.com tcp
US 51.81.186.179:26620 tcp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 117.57.143.63.in-addr.arpa udp
US 8.8.8.8:53 205.31.49.185.in-addr.arpa udp
US 8.8.8.8:53 15.46.207.104.in-addr.arpa udp
US 8.8.8.8:53 218.239.71.3.in-addr.arpa udp
US 8.8.8.8:53 25.172.178.184.in-addr.arpa udp
US 8.8.8.8:53 29.218.247.47.in-addr.arpa udp
PL 185.49.31.205:8080 discordapp.com tcp
IN 103.82.157.105:8080 tcp
AU 1.0.0.123:80 tcp
CN 182.204.178.100:8089 tcp
US 8.8.8.8:53 123.0.0.1.in-addr.arpa udp
PL 51.83.184.241:9191 tcp
ID 223.25.110.225:1080 tcp
DE 168.119.226.2:8080 tcp
HK 94.74.121.234:1080 tcp
EG 41.65.163.68:1981 tcp
CO 170.239.205.74:8080 tcp
GB 8.208.90.194:82 tcp
US 8.8.8.8:53 241.184.83.51.in-addr.arpa udp
FR 164.132.112.208:23829 tcp
US 5.161.98.204:20703 tcp
BR 20.206.106.192:80 tcp
KE 102.213.248.24:8080 tcp
UA 62.122.201.246:50129 tcp
ME 94.102.234.186:32650 tcp
VN 27.73.18.185:1080 tcp
VN 171.228.165.210:14005 tcp
ID 103.124.136.138:3125 tcp
US 216.173.76.144:6771 discordapp.com tcp
MX 187.189.138.42:8888 tcp
CN 39.104.62.128:8081 tcp
DE 5.9.169.87:30000 tcp
US 8.8.8.8:53 144.76.173.216.in-addr.arpa udp
US 47.252.11.233:8443 discordapp.com tcp
US 8.8.8.8:53 233.11.252.47.in-addr.arpa udp
VN 27.77.228.212:1080 tcp
RS 178.148.229.161:5678 tcp
PH 180.191.23.221:8081 tcp
US 47.252.11.233:8443 api.ipify.org tcp
CA 142.44.212.57:30439 tcp
US 47.88.29.108:9999 tcp
TH 101.109.0.94:8080 tcp
AR 190.225.164.15:33333 tcp
CL 45.173.123.102:999 tcp
HK 148.66.6.214:80 tcp
US 8.8.8.8:53 108.29.88.47.in-addr.arpa udp
UA 91.203.114.71:42905 tcp
DE 5.189.172.158:3128 tcp
CO 45.233.169.25:999 tcp
TH 182.52.217.142:8080 tcp
US 104.18.103.125:80 tcp
US 198.20.191.198:7254 discordapp.com tcp
CO 181.48.155.78:8003 tcp
IR 178.21.163.24:80 discordapp.com tcp
US 98.162.25.23:4145 tcp
ID 43.243.140.194:8080 tcp
US 47.88.11.3:8123 tcp
US 50.170.90.24:80 tcp
ID 103.35.153.74:8080 tcp
US 8.8.8.8:53 214.6.66.148.in-addr.arpa udp
US 8.8.8.8:53 125.103.18.104.in-addr.arpa udp
US 8.8.8.8:53 198.191.20.198.in-addr.arpa udp
US 8.8.8.8:53 25.169.233.45.in-addr.arpa udp
US 8.8.8.8:53 24.163.21.178.in-addr.arpa udp
IN 103.84.178.2:4153 tcp
IR 188.121.103.205:80 tcp
NL 147.75.34.103:10001 tcp
ID 114.7.97.222:35010 tcp
BR 177.21.237.100:8080 tcp
EG 41.65.236.53:1976 tcp
US 8.8.8.8:53 103.34.75.147.in-addr.arpa udp
US 162.214.170.144:3434 tcp
TW 125.227.225.157:3389 tcp
US 162.243.102.207:9764 tcp
TW 59.125.223.105:80 tcp
DZ 41.111.187.214:80 tcp
AE 2.50.47.254:8080 tcp
US 50.217.226.43:80 tcp
ID 36.67.136.21:80 tcp
IN 182.48.204.35:8080 tcp
US 98.162.96.41:4145 tcp
VN 42.96.10.104:3128 tcp
N/A 127.0.0.1:80 tcp
KH 49.156.42.210:5678 tcp
DE 47.91.95.174:56 tcp
US 8.8.8.8:53 207.102.243.162.in-addr.arpa udp
US 8.8.8.8:53 43.226.217.50.in-addr.arpa udp
RU 188.234.248.18:8080 tcp
US 204.242.0.222:25647 tcp
US 157.230.82.155:29451 tcp
US 8.8.8.8:53 174.95.91.47.in-addr.arpa udp
US 8.8.8.8:53 71.208.201.84.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\pkg-e4HPfM\5c9a74674baa49a8cc3965a2d84a4f89cd4ea1a459a9b493fc02a581c95bf3a8

MD5 04bfbfec8db966420fe4c7b85ebb506a
SHA1 939bb742a354a92e1dcd3661a62d69e48030a335
SHA256 da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA512 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

C:\Users\Admin\AppData\Local\Temp\pkg-e4HPfM\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

memory/4176-135-0x00007FFF749C3000-0x00007FFF749C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkc1ltp2.5gb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4176-145-0x000001DFCE750000-0x000001DFCE772000-memory.dmp

memory/4176-146-0x00007FFF749C0000-0x00007FFF75481000-memory.dmp

memory/4176-147-0x00007FFF749C0000-0x00007FFF75481000-memory.dmp

memory/4176-151-0x00007FFF749C0000-0x00007FFF75481000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8740e7db6a0d290c198447b1f16d5281
SHA1 ab54460bb918f4af8a651317c8b53a8f6bfb70cd
SHA256 f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5
SHA512 d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Temp\config.yml

MD5 98d55c31ac02b32ac3c147cad3a97ed0
SHA1 1d72218c5cdd5cfe65187d66833eeaa16fad9368
SHA256 b61bac80531f43058953c0747218203b4794908db361ed0a032d79f1168f6bdc
SHA512 36e48ab538dc41350ad4cb2a0127a1727db54b136e65f12526ac1648d884e462a28ebf7f7ca85eff37da5e7de9baddac9b28819395e65a7eb3dc83dbdd50f78e