Malware Analysis Report

2025-01-18 06:38

Sample ID 231014-ptdjdaea6x
Target NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe
SHA256 ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper infostealer loader persistence ransomware trojan pub1 evasion spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56

Threat Level: Known bad

The file NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper infostealer loader persistence ransomware trojan pub1 evasion spyware upx

SmokeLoader

Glupteba payload

RedLine payload

Djvu Ransomware

Amadey

Glupteba

RedLine

Detected Djvu ransomware

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

Modifies file permissions

Deletes itself

UPX packed file

Executes dropped EXE

Checks computer location settings

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-14 12:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 12:36

Reported

2023-10-15 01:18

Platform

win7-20230831-en

Max time kernel

194s

Max time network

207s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B899.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6368d27c-b7b2-4d6c-9ddd-c4de9e0ee268\\8AD2.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8AD2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2560 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 3008 set thread context of 1716 N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 1260 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 1260 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 1260 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 2560 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8AD2.exe C:\Users\Admin\AppData\Local\Temp\8AD2.exe
PID 1260 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe
PID 1260 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe
PID 1260 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe
PID 1260 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe
PID 1260 wrote to memory of 2036 N/A N/A C:\Users\Admin\AppData\Local\Temp\9FCA.exe
PID 1260 wrote to memory of 2036 N/A N/A C:\Users\Admin\AppData\Local\Temp\9FCA.exe
PID 1260 wrote to memory of 2036 N/A N/A C:\Users\Admin\AppData\Local\Temp\9FCA.exe
PID 1260 wrote to memory of 2848 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2848 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2848 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2848 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2848 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 3032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1260 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\Temp\B899.exe
PID 1260 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\Temp\B899.exe
PID 1260 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\Temp\B899.exe
PID 1260 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\Temp\B899.exe
PID 2212 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\B899.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2212 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\B899.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2212 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\B899.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2212 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\B899.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1224 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1224 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1224 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1224 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2792 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2792 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2792 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3008 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3008 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3008 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3008 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3008 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3008 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\8C88.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\8AD2.exe

C:\Users\Admin\AppData\Local\Temp\8AD2.exe

C:\Users\Admin\AppData\Local\Temp\8AD2.exe

C:\Users\Admin\AppData\Local\Temp\8AD2.exe

C:\Users\Admin\AppData\Local\Temp\8C88.exe

C:\Users\Admin\AppData\Local\Temp\8C88.exe

C:\Users\Admin\AppData\Local\Temp\9FCA.exe

C:\Users\Admin\AppData\Local\Temp\9FCA.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B1D5.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B1D5.dll

C:\Users\Admin\AppData\Local\Temp\B899.exe

C:\Users\Admin\AppData\Local\Temp\B899.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\CC69.exe

C:\Users\Admin\AppData\Local\Temp\CC69.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6368d27c-b7b2-4d6c-9ddd-c4de9e0ee268" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {3815F6F2-F941-4820-AFA5-F6A44BBB2809} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp

Files

memory/2736-1-0x0000000000680000-0x0000000000780000-memory.dmp

memory/2736-2-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/2736-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2736-5-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/1260-4-0x0000000002B30000-0x0000000002B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AD2.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\8AD2.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2560-20-0x0000000002C60000-0x0000000002CF2000-memory.dmp

memory/2560-22-0x0000000002C60000-0x0000000002CF2000-memory.dmp

memory/2560-23-0x0000000004530000-0x000000000464B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AD2.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

\Users\Admin\AppData\Local\Temp\8AD2.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2556-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AD2.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2556-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2560-30-0x0000000002C60000-0x0000000002CF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8C88.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

C:\Users\Admin\AppData\Local\Temp\8C88.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

\Users\Admin\AppData\Local\Temp\9FCA.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\Temp\9FCA.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

memory/2556-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2556-43-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B1D5.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\B899.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\B899.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\B1D5.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/3032-54-0x0000000000180000-0x0000000000186000-memory.dmp

memory/3032-55-0x0000000010000000-0x0000000010251000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1716-68-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1716-75-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3032-76-0x0000000002340000-0x000000000245B000-memory.dmp

memory/1716-73-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1716-71-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1716-70-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1716-69-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1716-66-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1716-67-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3032-90-0x0000000002460000-0x0000000002561000-memory.dmp

memory/3032-92-0x0000000002460000-0x0000000002561000-memory.dmp

memory/3032-87-0x0000000002460000-0x0000000002561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC69.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1448-99-0x0000000004A60000-0x0000000004E58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC69.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3032-100-0x0000000002460000-0x0000000002561000-memory.dmp

memory/2456-103-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2456-105-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2456-104-0x0000000000070000-0x0000000000077000-memory.dmp

C:\Users\Admin\AppData\Local\6368d27c-b7b2-4d6c-9ddd-c4de9e0ee268\8AD2.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/1716-107-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/2556-108-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2036-109-0x000000013F900000-0x0000000140251000-memory.dmp

memory/1448-110-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1448-111-0x0000000004E60000-0x000000000574B000-memory.dmp

memory/2036-112-0x000000013F900000-0x0000000140251000-memory.dmp

memory/1448-113-0x0000000004A60000-0x0000000004E58000-memory.dmp

memory/2384-114-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/2384-115-0x0000000000130000-0x00000000001A5000-memory.dmp

memory/2384-116-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/2384-130-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1448-131-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1716-132-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/2036-133-0x000000013F900000-0x0000000140251000-memory.dmp

memory/2556-134-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1716-135-0x0000000000660000-0x00000000006A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC69.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1448-137-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2036-138-0x000000013F900000-0x0000000140251000-memory.dmp

memory/1716-140-0x0000000000660000-0x00000000006A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1448-142-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2036-143-0x000000013F900000-0x0000000140251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 12:36

Reported

2023-10-15 01:17

Platform

win10v2004-20230915-en

Max time kernel

127s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\85F4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9DF5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\46945282-a438-4f06-b3d3-c2a3dc03b0ed\\85F4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\85F4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\A539.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\A539.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\A539.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A539.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AC00.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3228 wrote to memory of 4856 N/A N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 3228 wrote to memory of 4856 N/A N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 3228 wrote to memory of 4856 N/A N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4856 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 3228 wrote to memory of 3508 N/A N/A C:\Users\Admin\AppData\Local\Temp\8808.exe
PID 3228 wrote to memory of 3508 N/A N/A C:\Users\Admin\AppData\Local\Temp\8808.exe
PID 3228 wrote to memory of 3508 N/A N/A C:\Users\Admin\AppData\Local\Temp\8808.exe
PID 3752 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Windows\SysWOW64\icacls.exe
PID 3752 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Windows\SysWOW64\icacls.exe
PID 3752 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Windows\SysWOW64\icacls.exe
PID 3228 wrote to memory of 1836 N/A N/A C:\Users\Admin\AppData\Local\Temp\96AF.exe
PID 3228 wrote to memory of 1836 N/A N/A C:\Users\Admin\AppData\Local\Temp\96AF.exe
PID 3228 wrote to memory of 888 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3228 wrote to memory of 888 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3752 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 3752 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 3752 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 888 wrote to memory of 1716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 888 wrote to memory of 1716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 888 wrote to memory of 1716 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3228 wrote to memory of 3952 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DF5.exe
PID 3228 wrote to memory of 3952 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DF5.exe
PID 3228 wrote to memory of 3952 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DF5.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 4012 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\85F4.exe C:\Users\Admin\AppData\Local\Temp\85F4.exe
PID 3952 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\9DF5.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3952 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\9DF5.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3952 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\9DF5.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3892 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3892 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3892 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3228 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\A539.exe
PID 3228 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\A539.exe
PID 3228 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\A539.exe
PID 3892 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\8808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\8808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\8808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2520 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2520 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2520 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3228 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC00.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.ec2362e8621593898b0bf217dd680288262c6dae95c1d843df4818bd0e445e56exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\85F4.exe

C:\Users\Admin\AppData\Local\Temp\85F4.exe

C:\Users\Admin\AppData\Local\Temp\85F4.exe

C:\Users\Admin\AppData\Local\Temp\85F4.exe

C:\Users\Admin\AppData\Local\Temp\8808.exe

C:\Users\Admin\AppData\Local\Temp\8808.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\46945282-a438-4f06-b3d3-c2a3dc03b0ed" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\96AF.exe

C:\Users\Admin\AppData\Local\Temp\96AF.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9A79.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9A79.dll

C:\Users\Admin\AppData\Local\Temp\85F4.exe

"C:\Users\Admin\AppData\Local\Temp\85F4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9DF5.exe

C:\Users\Admin\AppData\Local\Temp\9DF5.exe

C:\Users\Admin\AppData\Local\Temp\85F4.exe

"C:\Users\Admin\AppData\Local\Temp\85F4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4916 -ip 4916

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\A539.exe

C:\Users\Admin\AppData\Local\Temp\A539.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\AC00.exe

C:\Users\Admin\AppData\Local\Temp\AC00.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\AC00.exe

"C:\Users\Admin\AppData\Local\Temp\AC00.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 wirtshauspost.at udp
UZ 195.158.3.162:80 wirtshauspost.at tcp
US 8.8.8.8:53 162.3.158.195.in-addr.arpa udp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
RU 31.41.244.27:41140 tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
UZ 195.158.3.162:80 wirtshauspost.at tcp
UZ 195.158.3.162:80 wirtshauspost.at tcp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 c3f318b1-6459-400e-9d26-d47d87f4f845.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server14.thestatsfiles.ru udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server14.thestatsfiles.ru tcp
SG 74.125.24.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 127.24.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 188.114.96.0:443 walkinglate.com tcp
FR 51.255.152.132:36011 tcp
FR 51.255.152.132:36011 tcp

Files

memory/1984-2-0x00000000021C0000-0x00000000021CB000-memory.dmp

memory/1984-1-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/1984-3-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/3228-4-0x0000000008290000-0x00000000082A6000-memory.dmp

memory/1984-8-0x00000000021C0000-0x00000000021CB000-memory.dmp

memory/1984-6-0x0000000000400000-0x00000000005B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85F4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\85F4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/4856-20-0x0000000004860000-0x00000000048F4000-memory.dmp

memory/4856-21-0x0000000004A60000-0x0000000004B7B000-memory.dmp

memory/3752-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85F4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\8808.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/3752-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3752-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8808.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/3752-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96AF.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\46945282-a438-4f06-b3d3-c2a3dc03b0ed\85F4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\9A79.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\9A79.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\85F4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/3752-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1716-50-0x0000000010000000-0x0000000010251000-memory.dmp

memory/1716-49-0x0000000000F30000-0x0000000000F36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9DF5.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\9DF5.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4012-58-0x00000000047B0000-0x0000000004852000-memory.dmp

memory/4916-61-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85F4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/4916-62-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4916-64-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\A539.exe

MD5 a0dc2db849379678c981ff38e6864db0
SHA1 df1684b25e0fe4af92b0cf0cf4e6dfcac795f458
SHA256 eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d
SHA512 6caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b

C:\Users\Admin\AppData\Local\Temp\A539.exe

MD5 a0dc2db849379678c981ff38e6864db0
SHA1 df1684b25e0fe4af92b0cf0cf4e6dfcac795f458
SHA256 eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d
SHA512 6caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b

memory/2420-77-0x0000000000700000-0x0000000000800000-memory.dmp

memory/2420-78-0x0000000000640000-0x000000000064B000-memory.dmp

memory/2420-79-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC00.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\AC00.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4392-82-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1716-87-0x0000000002980000-0x0000000002A9B000-memory.dmp

memory/4392-90-0x0000000072950000-0x0000000073100000-memory.dmp

memory/4080-91-0x0000000001100000-0x000000000116B000-memory.dmp

memory/4392-94-0x0000000008080000-0x0000000008624000-memory.dmp

memory/4080-93-0x0000000001170000-0x00000000011E5000-memory.dmp

memory/4080-92-0x0000000001100000-0x000000000116B000-memory.dmp

memory/4392-95-0x0000000007BB0000-0x0000000007C42000-memory.dmp

memory/4392-96-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

memory/4316-98-0x0000000000420000-0x000000000042C000-memory.dmp

memory/2820-97-0x0000000004CE0000-0x00000000050DE000-memory.dmp

memory/4316-108-0x0000000000420000-0x000000000042C000-memory.dmp

memory/3228-104-0x0000000002440000-0x0000000002456000-memory.dmp

memory/4316-103-0x0000000000430000-0x0000000000437000-memory.dmp

memory/4392-102-0x0000000007D70000-0x0000000007D7A000-memory.dmp

memory/2420-113-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2820-125-0x00000000051E0000-0x0000000005ACB000-memory.dmp

memory/4392-124-0x0000000008C50000-0x0000000009268000-memory.dmp

memory/4392-130-0x0000000007F30000-0x000000000803A000-memory.dmp

memory/1836-129-0x00007FF7C1880000-0x00007FF7C21D1000-memory.dmp

memory/1716-132-0x0000000002AA0000-0x0000000002BA1000-memory.dmp

memory/4392-131-0x0000000007E60000-0x0000000007E72000-memory.dmp

memory/1716-133-0x0000000002AA0000-0x0000000002BA1000-memory.dmp

memory/4392-134-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

memory/1716-136-0x0000000002AA0000-0x0000000002BA1000-memory.dmp

memory/4392-137-0x0000000008630000-0x000000000867C000-memory.dmp

memory/1716-139-0x0000000002AA0000-0x0000000002BA1000-memory.dmp

memory/2820-138-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4392-140-0x0000000072950000-0x0000000073100000-memory.dmp

memory/4080-141-0x0000000001100000-0x000000000116B000-memory.dmp

memory/2820-142-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1836-143-0x00007FF7C1880000-0x00007FF7C21D1000-memory.dmp

memory/2820-144-0x0000000004CE0000-0x00000000050DE000-memory.dmp

memory/4392-145-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

memory/3288-146-0x00000000027B0000-0x00000000027E6000-memory.dmp

memory/3288-147-0x0000000072950000-0x0000000073100000-memory.dmp

memory/3288-148-0x0000000002380000-0x0000000002390000-memory.dmp

memory/3288-149-0x0000000002380000-0x0000000002390000-memory.dmp

memory/3288-150-0x0000000004E90000-0x00000000054B8000-memory.dmp

memory/3288-151-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gs10dz05.shg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3288-152-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/3288-158-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/3288-163-0x0000000005990000-0x0000000005CE4000-memory.dmp

memory/3288-164-0x0000000005D80000-0x0000000005D9E000-memory.dmp

memory/3288-167-0x0000000006320000-0x0000000006364000-memory.dmp

memory/3288-168-0x0000000002380000-0x0000000002390000-memory.dmp

memory/3288-169-0x00000000070F0000-0x0000000007166000-memory.dmp

memory/3288-171-0x00000000077F0000-0x0000000007E6A000-memory.dmp

memory/3288-172-0x0000000007170000-0x000000000718A000-memory.dmp

memory/2820-170-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\bvsdder

MD5 a0dc2db849379678c981ff38e6864db0
SHA1 df1684b25e0fe4af92b0cf0cf4e6dfcac795f458
SHA256 eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d
SHA512 6caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b

memory/3288-176-0x000000007FD10000-0x000000007FD20000-memory.dmp

memory/3288-177-0x0000000007330000-0x0000000007362000-memory.dmp

memory/3288-178-0x000000006CCB0000-0x000000006CCFC000-memory.dmp

memory/3288-179-0x000000006C950000-0x000000006CCA4000-memory.dmp

memory/3288-189-0x0000000007310000-0x000000000732E000-memory.dmp

memory/3288-190-0x0000000007370000-0x0000000007413000-memory.dmp

memory/3288-191-0x0000000007460000-0x000000000746A000-memory.dmp

memory/3288-192-0x0000000007520000-0x00000000075B6000-memory.dmp

memory/3288-193-0x0000000007480000-0x0000000007491000-memory.dmp

memory/1836-194-0x00007FF7C1880000-0x00007FF7C21D1000-memory.dmp

memory/3288-197-0x00000000074C0000-0x00000000074CE000-memory.dmp

memory/3288-198-0x00000000074D0000-0x00000000074E4000-memory.dmp

memory/3288-199-0x00000000075C0000-0x00000000075DA000-memory.dmp

memory/3288-200-0x0000000007510000-0x0000000007518000-memory.dmp

memory/3288-202-0x0000000072950000-0x0000000073100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC00.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2820-204-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3836-206-0x0000000004C60000-0x000000000505E000-memory.dmp

memory/3836-207-0x0000000005060000-0x000000000594B000-memory.dmp

memory/3984-223-0x0000000001000000-0x000000000105A000-memory.dmp

memory/1836-224-0x00007FF7C1880000-0x00007FF7C21D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 93081fef754850ca7b0bec9008e90a97
SHA1 383612ad18094e664f3e93290ddb4c6da5c6feaf
SHA256 8f1f15e3a6165a22e22b685f2d6bd0e99527f1ef5153860b6eb34526a4ab0c08
SHA512 b3c1b5acc3e51ac703d6b8cf951a24dc44f39a2ac85f5d2c97a6e40bc1542e5170d4a55c1dc40f3ad58cb9a0749295d2e38e88214d56808e41f29ea2fe612024

memory/3836-279-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ff83f55819b8a7d61809447eb8623efc
SHA1 cb94e124950b9a3df54ab4dd65b1a1e6d3d4532f
SHA256 969c3aac622ebd16c492e5f8d38f6bfbb1008441f65e4b6467b7902af5391dc5
SHA512 82071c40200bf01e02a137c8acaae0c42fb3bdc5464112a211c83532c111530ede9d52abbca2ebdf34e386e76d6781f028b0eb75b24cea3aa811fea8217f3999

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f8b9762236975746a30c019b7779a52a
SHA1 7c9710b10ca6938689ea850adb6b2097f914af36
SHA256 9563841d22180be3be3eed01112aa13de777adb0abfbaa858ef26486a36bb2dd
SHA512 33f6fed6ef6b0b45da8f2ad4349e5e41227f1870a0b769e3a9aa98e7e0c00d46cbe41457531a1f1e0f7c75d30e76210611cd82e48b30aed45c5e93196549d3dc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7db89b307e0516ddc511729421459a34
SHA1 8139fc38a0b8e187ce1d0334c8fe4ce8072440fc
SHA256 acb96267cebf25c2c11b9bdb969e38b18dc0653f90908a5d5af1b541a90fc531
SHA512 8fd1607cdbd2627472e262120b39288067da45eab4fbc8d20db91957b7f56c0e338d1d0934b3fca8a4cf7ce79536275b045a80189da8938b89f2ae3a2c6c4ce4

memory/3836-369-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f7f68b2d660812a6d0f63b85018ae2d1
SHA1 22f8c62504388d9a7c45b6cf2add3b822311e7bf
SHA256 6c14b079dde917d4e309b02f67ce1c6dc36971456229c6fe3d23d06b0e928e51
SHA512 c8cf6e58bb6d377b30ee935cb64fd4080026de77a4456f04c86f1e43ef606368df2170ca7c2b060498addae016773b7b16c23c5e643f5fadffa0673c4696df96

memory/3416-387-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3416-409-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/220-417-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3416-419-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2820-420-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3416-422-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3416-425-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2820-427-0x0000000000400000-0x00000000008DF000-memory.dmp