Malware Analysis Report

2024-09-11 01:43

Sample ID 221028-gzepmafagn
Target yan1.exe
SHA256 d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c
Tags
yanluowang spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c

Threat Level: Known bad

The file yan1.exe was found to be: Known bad.

Malicious Activity Summary

yanluowang spyware stealer

Detects Yanluowang ransomware

Yanluowang family

Drops file in Drivers directory

Reads user/profile data of web browsers

Checks computer location settings

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Credentials in Files
T1081
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-10-28 06:14

Signatures

Detects Yanluowang ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Yanluowang family

yanluowang

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-28 06:14

Reported

2022-10-28 06:17

Platform

win7-20220812-en

Max time kernel

108s

Max time network

44s

Command Line

C:\Users\Admin\AppData\Local\Temp\yan1.exe -pass D86BDXL9N3H

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1132 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\yan1.exe

C:\Users\Admin\AppData\Local\Temp\yan1.exe -pass D86BDXL9N3H

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -command "Get-VM | Stop-VM -Force"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop ReportServer$ISARS

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-VM | Stop-VM -Force"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop WinDefend

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop mr2kserv

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSExchangeADTopology

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSExchangeFBA

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSExchangeIS

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSExchangeSA

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop ShadowProtectSvc

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPAdminV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPTimerV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPTraceV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPUserCodeV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPWriterV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPSearch4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop IISADMIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop firebirdguardiandefaultinstance

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop ibmiasrw

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QBCFMonitorService

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QBVSS

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QBPOSDBServiceV12

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop "IBM Domino Server (CProgramFilesIBMDominodata)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop IISADMIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop "Simply Accounting Database Connection Manager"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB5

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB6

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB7

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB9

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB10

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB11

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB12

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB13

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB14

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB15

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB16

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB17

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB18

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB19

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB20

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB21

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB22

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB23

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB24

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB25

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im mysql*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im dsa*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im veeam*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im chrome*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im iexplore*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im firefox*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im outlook*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im excel*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im outlook*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im taskmgr*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im tasklist*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im Ntrtscan*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im ds_monitor*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im Notifier*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im putty*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im ssh*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im TmListen*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im iVPAgent*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im CNTAoSMgr*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im IBM*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im bes10*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im black*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im robo*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im copy*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im sql

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im store.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im sql*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im vee*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im wrsa*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im wrsa.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im postg*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im sage*

Network

N/A

Files

memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

memory/1492-55-0x0000000000000000-mapping.dmp

memory/1452-56-0x0000000000000000-mapping.dmp

memory/856-57-0x0000000000000000-mapping.dmp

memory/876-58-0x0000000000000000-mapping.dmp

memory/1648-59-0x0000000000000000-mapping.dmp

memory/1076-60-0x0000000000000000-mapping.dmp

memory/1488-61-0x0000000000000000-mapping.dmp

memory/240-62-0x0000000000000000-mapping.dmp

memory/1496-63-0x0000000000000000-mapping.dmp

memory/300-65-0x0000000000000000-mapping.dmp

memory/1692-66-0x0000000000000000-mapping.dmp

memory/1356-67-0x0000000000000000-mapping.dmp

memory/1824-68-0x0000000000000000-mapping.dmp

memory/860-69-0x0000000000000000-mapping.dmp

memory/1744-70-0x0000000000000000-mapping.dmp

memory/484-71-0x0000000000000000-mapping.dmp

memory/800-72-0x0000000000000000-mapping.dmp

memory/820-73-0x0000000000000000-mapping.dmp

memory/1332-74-0x0000000000000000-mapping.dmp

memory/304-75-0x0000000000000000-mapping.dmp

memory/1520-76-0x0000000000000000-mapping.dmp

memory/1272-77-0x0000000000000000-mapping.dmp

memory/792-78-0x0000000000000000-mapping.dmp

memory/1064-79-0x0000000000000000-mapping.dmp

memory/1244-80-0x0000000000000000-mapping.dmp

memory/572-81-0x0000000000000000-mapping.dmp

memory/996-82-0x0000000000000000-mapping.dmp

memory/1576-83-0x0000000000000000-mapping.dmp

memory/596-84-0x0000000000000000-mapping.dmp

memory/680-85-0x0000000000000000-mapping.dmp

memory/948-86-0x0000000000000000-mapping.dmp

memory/1252-87-0x0000000000000000-mapping.dmp

memory/2056-88-0x0000000000000000-mapping.dmp

memory/2076-89-0x0000000000000000-mapping.dmp

memory/2096-90-0x0000000000000000-mapping.dmp

memory/2116-91-0x0000000000000000-mapping.dmp

memory/2168-92-0x0000000000000000-mapping.dmp

memory/2188-93-0x0000000000000000-mapping.dmp

memory/2208-94-0x0000000000000000-mapping.dmp

memory/2224-95-0x0000000000000000-mapping.dmp

memory/2248-96-0x0000000000000000-mapping.dmp

memory/2280-97-0x0000000000000000-mapping.dmp

memory/2368-99-0x0000000000000000-mapping.dmp

memory/2344-98-0x0000000000000000-mapping.dmp

memory/2408-100-0x0000000000000000-mapping.dmp

memory/2432-101-0x0000000000000000-mapping.dmp

memory/2452-102-0x0000000000000000-mapping.dmp

memory/2472-103-0x0000000000000000-mapping.dmp

memory/2492-104-0x0000000000000000-mapping.dmp

memory/2508-105-0x0000000000000000-mapping.dmp

memory/2568-106-0x0000000000000000-mapping.dmp

memory/2592-107-0x0000000000000000-mapping.dmp

memory/2620-108-0x0000000000000000-mapping.dmp

memory/2640-109-0x0000000000000000-mapping.dmp

memory/2680-110-0x0000000000000000-mapping.dmp

memory/2728-111-0x0000000000000000-mapping.dmp

memory/2748-112-0x0000000000000000-mapping.dmp

memory/2768-113-0x0000000000000000-mapping.dmp

memory/2788-114-0x0000000000000000-mapping.dmp

memory/2800-115-0x0000000000000000-mapping.dmp

memory/2856-116-0x0000000000000000-mapping.dmp

memory/2876-117-0x0000000000000000-mapping.dmp

memory/2896-118-0x0000000000000000-mapping.dmp

memory/2916-119-0x0000000000000000-mapping.dmp

memory/1496-120-0x00000000738B0000-0x0000000073E5B000-memory.dmp

memory/1496-121-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-28 06:14

Reported

2022-10-28 06:17

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

104s

Command Line

C:\Users\Admin\AppData\Local\Temp\yan1.exe -pass D86BDXL9N3H

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\SysWOW64\drivers\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\en-US\adp80xx.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\SDFLauncher.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\c_usbfn.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_netdriver.inf_amd64_2d569d832b41b8df\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_167948d0c94abc27\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PCLXL.GPD C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\netavpna.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\netlldp.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\dc21x4vm.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\mdmvv.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\sisraid2.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mssmbios.inf_amd64_9fc7fe03de136fc1\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\buttonconverter.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_b8b0fe7bbc76405b\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_d9886a7bbe9e55ca\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_8a98af5011ee4dc6\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\e2xw10x64.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_securitydevices.inf_amd64_f10a5650b96630b9\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_AC_BRN.bin C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\stornvme.inf_amd64_1218fad01506b7af\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\c_firmware.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\iaLPSS2i_GPIO2_GLK.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\mdmbtmdm.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\netshell.dll.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\lsi_sss.inf_amd64_503a2398f4c86893\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\acpipagr.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\IntelTA.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\wcnwiz.dll.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\ts_wpdmtp.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\CompositeBus.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\netbvbda.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\b57nd60a.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmboca.inf_amd64_c4ed3602d3c754f2\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\netrndis.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\prnms005.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\mmc.exe.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\wevtfwd.dll.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\netloop.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\HalExtIntcLpioDma.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Apphlpdm.dll.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\scrptadm.dll.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\netvf63a.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_skl.inf_amd64_b68199ad84607c21\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\cht4vx64.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\wstorvsc.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\Netwew01.INF_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\wvmic_heartbeat.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\xboxgip.inf_amd64_90ed6b3fdc759a5b\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\msdv.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\wGenCounter.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\scmvolume.inf_amd64_6957cfb7d6fea5c7\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\c_scmvolume.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\hidbatt.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\virtdisk.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_scmdisk.inf_amd64_d8f75a9c87c2f7c4\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\ipmidrv.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\microsoft_bluetooth_a2dp_src.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fsencryption.inf_amd64_b4b4845819a23338\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_b2ebe9229789b181\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\WABSyncProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\hidbthle.inf_loc C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Cursors\busy_m.cur C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Globalization\ELS\Transliteration\malayalam-to-latin.nlt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsCore-Full-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Cursors\busy_il.cur C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Fonts.Jpan~und-Jpan~1.0.mum C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-AssignedAccessCsp-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.844.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-NetFx2-OC-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\MOF\es\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-EmbeddedLogon-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\INF\wvmic_guestinterface.inf C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-NetFx-Shared-Perfcounters-Client~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Resources\Themes\aero\ja-JP\aerolite.msstyles.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Multimedia-MFCore-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\8335c7a6cac9c2a3a77da9f4a1817282\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\9b714bc9d597b3de794f1cedb3fe3349\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\L2Schemas\WWAN_profile_v4.xsd C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\MOF\es\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingTransmitter-Media-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsCore-Full-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Boot\DVD\PCAT\BCD C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Package_2_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\a59eafc66ceb93baa9032d0ec04afd19\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\schemas\EAPHost\eaphostconfig.xsd C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\servicing\FodMetadata\metadata\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-SecConfig-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\apppatch\frxmain.sdb C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security.aspx.es.resx C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\HyperV-Host-Devices-EmulatedChipset-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\fr-FR\Servicing.adml C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.altform-unplated.png C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\INF\microsoft_bluetooth_avrcptransport.inf C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\de-DE\ServiceModelRegUI.dll.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\de-DE\InetRes.adml C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-MFPMP-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\en-US\en_US_word_c.lm1 C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.Microsoft.PowerShell.ConsoleHost\v4.0_1.0.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Powershell.ConsoleHost.config C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.fr.resx C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\de-DE\msched.adml C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\ja-JP\DiskDiagnostic.adml C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-AppCompat-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\it-IT\CbsMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package01~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Multimedia-MFCore-WCOSMinusHeadless-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Remotefx-Clientvm-Rdvgwddmdx11-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f577ef2b3b341c57f4b7eb23478be457\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Help\mui\0407\sqlsoldb.chm C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-CoreSystem-RemoteFS-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-2-ServerCommon-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File created C:\Windows\rescache\_merged\3200614358\README.txt C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Snapins-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\INF\rtux64w10.inf C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\de-DE\NetworkIsolation.adml C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\ja-JP\Sharing.adml C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
File opened for modification C:\Windows\Provisioning\Packages\Power.Settings.Display.ppkg C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4876 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\yan1.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\yan1.exe

C:\Users\Admin\AppData\Local\Temp\yan1.exe -pass D86BDXL9N3H

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -command "Get-VM | Stop-VM -Force"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSSQL$ISARS

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-VM | Stop-VM -Force"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop ReportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop WinDefend

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop mr2kserv

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSExchangeADTopology

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSExchangeFBA

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSExchangeIS

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSExchangeSA

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop ShadowProtectSvc

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPAdminV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPTimerV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPTraceV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPUserCodeV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPWriterV4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop SPSearch4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop IISADMIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop firebirdguardiandefaultinstance

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop ibmiasrw

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QBCFMonitorService

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QBVSS

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QBPOSDBServiceV12

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop "IBM Domino Server (CProgramFilesIBMDominodata)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop IISADMIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop "Simply Accounting Database Connection Manager"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB5

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB6

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB7

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB9

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB10

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB11

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB12

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB13

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB14

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB15

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB16

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB17

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB18

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB19

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB20

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB21

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB22

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB23

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB24

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" net stop QuickBooksDB25

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im mysql*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im dsa*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im veeam*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im chrome*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im iexplore*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im firefox*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im excel*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im outlook*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im taskmgr*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im tasklist*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im Ntrtscan*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im ds_monitor*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im outlook*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im Notifier*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im putty*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im ssh*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im TmListen*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im CNTAoSMgr*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im iVPAgent*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im IBM*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im black*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im bes10*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im robo*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im copy*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im sql

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im store.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im sql*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im vee*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im wrsa*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im wrsa.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im postg*

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" taskkill /f /im sage*

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
CA 149.56.27.47:3956 tcp
US 52.182.143.210:443 tcp

Files

memory/4848-132-0x0000000000000000-mapping.dmp

memory/1900-133-0x0000000000000000-mapping.dmp

memory/3904-134-0x0000000000000000-mapping.dmp

memory/2868-135-0x0000000000000000-mapping.dmp

memory/1116-136-0x0000000000000000-mapping.dmp

memory/4116-137-0x0000000000000000-mapping.dmp

memory/3792-138-0x0000000000000000-mapping.dmp

memory/3156-139-0x0000000000000000-mapping.dmp

memory/2244-140-0x0000000000000000-mapping.dmp

memory/1116-141-0x00000000023D0000-0x0000000002406000-memory.dmp

memory/1288-142-0x0000000000000000-mapping.dmp

memory/3872-143-0x0000000000000000-mapping.dmp

memory/4080-144-0x0000000000000000-mapping.dmp

memory/1116-145-0x0000000005150000-0x0000000005778000-memory.dmp

memory/4336-147-0x0000000000000000-mapping.dmp

memory/2624-146-0x0000000000000000-mapping.dmp

memory/2372-148-0x0000000000000000-mapping.dmp

memory/4948-149-0x0000000000000000-mapping.dmp

memory/4604-150-0x0000000000000000-mapping.dmp

memory/1116-152-0x0000000004F50000-0x0000000004F72000-memory.dmp

memory/960-151-0x0000000000000000-mapping.dmp

memory/2344-155-0x0000000000000000-mapping.dmp

memory/1116-154-0x0000000005030000-0x0000000005096000-memory.dmp

memory/1116-156-0x00000000050A0000-0x0000000005106000-memory.dmp

memory/2400-153-0x0000000000000000-mapping.dmp

memory/2676-157-0x0000000000000000-mapping.dmp

memory/1348-158-0x0000000000000000-mapping.dmp

memory/4368-159-0x0000000000000000-mapping.dmp

memory/3028-160-0x0000000000000000-mapping.dmp

memory/4476-161-0x0000000000000000-mapping.dmp

memory/4832-162-0x0000000000000000-mapping.dmp

memory/1632-163-0x0000000000000000-mapping.dmp

memory/4676-164-0x0000000000000000-mapping.dmp

memory/660-165-0x0000000000000000-mapping.dmp

memory/1116-166-0x0000000005D20000-0x0000000005D3E000-memory.dmp

memory/520-167-0x0000000000000000-mapping.dmp

memory/1008-168-0x0000000000000000-mapping.dmp

memory/1084-169-0x0000000000000000-mapping.dmp

memory/2988-170-0x0000000000000000-mapping.dmp

memory/4984-171-0x0000000000000000-mapping.dmp

memory/3076-172-0x0000000000000000-mapping.dmp

memory/444-173-0x0000000000000000-mapping.dmp

memory/3524-174-0x0000000000000000-mapping.dmp

memory/1028-175-0x0000000000000000-mapping.dmp

memory/5144-176-0x0000000000000000-mapping.dmp

memory/5240-177-0x0000000000000000-mapping.dmp

memory/5280-178-0x0000000000000000-mapping.dmp

memory/5356-179-0x0000000000000000-mapping.dmp

memory/5380-180-0x0000000000000000-mapping.dmp

memory/5440-181-0x0000000000000000-mapping.dmp

memory/5488-182-0x0000000000000000-mapping.dmp

memory/5524-183-0x0000000000000000-mapping.dmp

memory/5600-184-0x0000000000000000-mapping.dmp

memory/5628-185-0x0000000000000000-mapping.dmp

memory/5716-187-0x0000000000000000-mapping.dmp

memory/5696-186-0x0000000000000000-mapping.dmp

memory/5788-188-0x0000000000000000-mapping.dmp

memory/1116-189-0x0000000006CD0000-0x0000000006D02000-memory.dmp

memory/1116-190-0x000000006FC40000-0x000000006FC8C000-memory.dmp

memory/1116-191-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/5860-192-0x0000000000000000-mapping.dmp

memory/5896-193-0x0000000000000000-mapping.dmp

memory/5952-194-0x0000000000000000-mapping.dmp

memory/5972-195-0x0000000000000000-mapping.dmp

memory/6012-196-0x0000000000000000-mapping.dmp

memory/1116-198-0x0000000007670000-0x0000000007CEA000-memory.dmp

memory/6072-197-0x0000000000000000-mapping.dmp

memory/1116-199-0x0000000007030000-0x000000000704A000-memory.dmp

memory/6092-200-0x0000000000000000-mapping.dmp

memory/5364-201-0x0000000000000000-mapping.dmp

memory/5724-203-0x0000000000000000-mapping.dmp

memory/1116-202-0x00000000070A0000-0x00000000070AA000-memory.dmp

memory/5904-204-0x0000000000000000-mapping.dmp

memory/6040-205-0x0000000000000000-mapping.dmp

memory/6148-206-0x0000000000000000-mapping.dmp

memory/6176-207-0x0000000000000000-mapping.dmp

memory/1116-208-0x00000000072B0000-0x0000000007346000-memory.dmp

memory/1116-209-0x0000000007260000-0x000000000726E000-memory.dmp

memory/1116-210-0x0000000007370000-0x000000000738A000-memory.dmp

memory/1116-211-0x0000000007350000-0x0000000007358000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 cec6220591035e8e7c9348669b0c6473
SHA1 af3e74a170d3ab22c3f1b250d25d3890a8b0ad54
SHA256 d3b707678c04cc400857d1a317536aefe3da586df0e0a6f5abc8731c9f0d3f80
SHA512 77a4f2691786b0dd65cdfcd6c24f715ef3584fd79f7c696572a0dbaf6191e72b996a3c13d12b68423563b889c45831fc1a36d4b364508176706c17ed9628526d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 640a5968529546c836734c9581618c6a
SHA1 f58b1dcf07d51dfd4eea4993fdbbb0e7d123212a
SHA256 34d0c639ab1bdb851f078c3a580ce2041c78049598676153759115496a293cb9
SHA512 8b1e858140abcc8e49c88d45d60c5fd1ea077d4d10695a140b11570e58bf20899d2270bff8fd90ea8e2f87e3098ffcf1676c747721c7350298a1eb26b62713c5