Malware Analysis Report

2025-01-18 06:38

Sample ID 231015-kphv3sdf2z
Target file
SHA256 89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8
Tags
amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper infostealer loader persistence ransomware spyware stealer trojan pub1 evasion upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper infostealer loader persistence ransomware spyware stealer trojan pub1 evasion upx

Djvu Ransomware

RedLine

Detected Djvu ransomware

Amadey

SmokeLoader

Glupteba

RedLine payload

Glupteba payload

Vidar

Downloads MZ/PE file

Modifies Windows Firewall

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Deletes itself

Checks computer location settings

Modifies file permissions

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

outlook_win_path

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Creates scheduled task(s)

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Suspicious use of UnmapMainImage

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 08:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 08:46

Reported

2023-10-15 08:49

Platform

win7-20230831-en

Max time kernel

154s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7f1aef73-36dc-42ec-888d-7c14b81a3247\\7668.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7668.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E085.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\E085.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 1196 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 1196 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 1196 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 1196 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7956.exe
PID 1196 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7956.exe
PID 1196 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7956.exe
PID 1196 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\7956.exe
PID 1196 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A4E.exe
PID 1196 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A4E.exe
PID 1196 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A4E.exe
PID 2480 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Windows\SysWOW64\icacls.exe
PID 2480 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Windows\SysWOW64\icacls.exe
PID 2480 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Windows\SysWOW64\icacls.exe
PID 2480 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7956.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1196 wrote to memory of 1292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 1292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 1292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 1292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 1292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2480 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2480 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2480 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 2480 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 1292 wrote to memory of 1020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1292 wrote to memory of 1020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1292 wrote to memory of 1020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1292 wrote to memory of 1020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1292 wrote to memory of 1020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1292 wrote to memory of 1020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1292 wrote to memory of 1020 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1196 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4AC.exe
PID 1196 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4AC.exe
PID 1196 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4AC.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\7668.exe

C:\Users\Admin\AppData\Local\Temp\7668.exe

C:\Users\Admin\AppData\Local\Temp\7668.exe

C:\Users\Admin\AppData\Local\Temp\7668.exe

C:\Users\Admin\AppData\Local\Temp\7956.exe

C:\Users\Admin\AppData\Local\Temp\7956.exe

C:\Users\Admin\AppData\Local\Temp\9A4E.exe

C:\Users\Admin\AppData\Local\Temp\9A4E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7f1aef73-36dc-42ec-888d-7c14b81a3247" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A190.dll

C:\Users\Admin\AppData\Local\Temp\7668.exe

"C:\Users\Admin\AppData\Local\Temp\7668.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A190.dll

C:\Users\Admin\AppData\Local\Temp\A4AC.exe

C:\Users\Admin\AppData\Local\Temp\A4AC.exe

C:\Users\Admin\AppData\Local\Temp\E085.exe

C:\Users\Admin\AppData\Local\Temp\E085.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\7668.exe

"C:\Users\Admin\AppData\Local\Temp\7668.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe

"C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8FFCB92D-AA38-4311-BFEC-830CC642DE60} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe

"C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe"

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe

"C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe

"C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015084934.log C:\Windows\Logs\CBS\CbsPersist_20231015084934.cab

C:\Users\Admin\AppData\Local\Temp\E085.exe

"C:\Users\Admin\AppData\Local\Temp\E085.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 www.microsoft.com udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 colisumy.com udp
MK 95.86.30.3:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
PA 190.219.136.87:80 zexeq.com tcp
PA 190.219.136.87:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 128.140.102.206:80 128.140.102.206 tcp

Files

memory/1944-1-0x0000000000700000-0x0000000000800000-memory.dmp

memory/1944-2-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1944-3-0x0000000000230000-0x000000000023B000-memory.dmp

memory/1944-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1196-4-0x0000000002B50000-0x0000000002B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2580-20-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2580-21-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2580-22-0x0000000002C60000-0x0000000002D7B000-memory.dmp

\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2480-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2480-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-31-0x0000000000230000-0x00000000002C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\7956.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

C:\Users\Admin\AppData\Local\Temp\7956.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/2480-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-38-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\9A4E.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\Temp\9A4E.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\7f1aef73-36dc-42ec-888d-7c14b81a3247\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2808-61-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2808-60-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2808-65-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2808-64-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2808-63-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2808-62-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2808-68-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2808-70-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A190.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\A4AC.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2480-79-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A4AC.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

\Users\Admin\AppData\Local\Temp\A190.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/1020-85-0x0000000010000000-0x0000000010251000-memory.dmp

memory/2240-86-0x0000000000290000-0x0000000000322000-memory.dmp

memory/1640-88-0x000000013FDE0000-0x0000000140731000-memory.dmp

memory/1020-101-0x0000000000240000-0x0000000000246000-memory.dmp

memory/1640-102-0x000000013FDE0000-0x0000000140731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E085.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1468-100-0x0000000004900000-0x0000000004CF8000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E085.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1468-107-0x0000000004900000-0x0000000004CF8000-memory.dmp

memory/1468-108-0x0000000004D00000-0x00000000055EB000-memory.dmp

memory/2036-109-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2036-111-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1468-110-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1020-112-0x0000000002260000-0x000000000237B000-memory.dmp

memory/1020-113-0x0000000002380000-0x0000000002481000-memory.dmp

memory/1020-114-0x0000000002380000-0x0000000002481000-memory.dmp

memory/1020-116-0x0000000002380000-0x0000000002481000-memory.dmp

memory/1020-117-0x0000000002380000-0x0000000002481000-memory.dmp

memory/2572-119-0x00000000000E0000-0x000000000014B000-memory.dmp

memory/1640-118-0x000000013FDE0000-0x0000000140731000-memory.dmp

memory/2572-120-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2572-130-0x00000000000E0000-0x000000000014B000-memory.dmp

\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2240-142-0x0000000000290000-0x0000000000322000-memory.dmp

memory/2176-141-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1468-134-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7668.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2176-144-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2572-145-0x00000000000E0000-0x000000000014B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5d6e8e5c626d32179c668d804f287a4
SHA1 da1d303f1d99e6de1a5d077d74bbe21ca8c0ae97
SHA256 6b770bbe1dc25f1568cdc6c8c69bcb743c87ceacb592e965eb151d7d6937005a
SHA512 0aada59df447cc39e8849363c992a51bfe99d4d40df8eb5eba35311ad57ec9102e3c9995c5f9326edf3c872783a4958ee5665c743326b45157f5afd9582e153e

C:\Users\Admin\AppData\Local\Temp\Cab1813.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ff4043b6d985f2c30024d4fb157674ad
SHA1 c77882e4db1878566899c6f2725db3da983ae226
SHA256 5ee9eb7362d51f5f51246c3542c4bdaa346405f46faf98f84194897148e9989d
SHA512 7803779c4c9cb963ad7f96bf33f9b41456432a214167545e35a638aa788f4ec379a8993f083edee95f75f9754c1c25733ad1ada14e7bb3405601a3de0233aa38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a3368211e62a4b5e5b8e8a6b03705fe5
SHA1 6553fdaea087a6685ced9b8ec7b7284ec54bcd78
SHA256 73cc0a482562344b7b97ea37057485f18fc50af6afaac2b88a1ec3fadb0a3e35
SHA512 9b90d2f3d4b9d9a172d93bae338121391cc2f07cf1a5014679e0d0947c2a025e09c3c0cf8b67da266a7aae3ee968ac847516c57c6127dee3c06a189d3c3349aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4375a0357a3cc43663d04645d8779c3c
SHA1 804e8f82df84ad90855a74dd80c8070d92a3b8cf
SHA256 4d9d60bdd78e6ab8a751f96bb81aa02579ff91fcf295c18195bc13e545c88ca1
SHA512 47b3520e9aff1bab1be73edadf96407b2f989283d204ea8c14cb55c62a5fb1ca44d1ee195a6af16cab197eb2f5a49104c4104f885bdafe0ca88811545cfbd172

memory/2176-160-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2808-161-0x0000000073040000-0x000000007372E000-memory.dmp

memory/2176-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1640-162-0x000000013FDE0000-0x0000000140731000-memory.dmp

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1468-167-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2176-176-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2676-191-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2676-189-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1640-182-0x000000013FDE0000-0x0000000140731000-memory.dmp

memory/2176-180-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2176-199-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2112-201-0x0000000002754000-0x0000000002783000-memory.dmp

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2176-205-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2112-206-0x0000000000220000-0x0000000000271000-memory.dmp

memory/2676-207-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1468-186-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2176-208-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1640-209-0x000000013FDE0000-0x0000000140731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E085.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 5304fe4fe019c315474df33b1c8c97d2
SHA1 c354a540fb0e13f15c3c251bf3a766b3c724d661
SHA256 61e3426e32179feb152e5d062254e88213ec24785808cae11558349bb0aeaf07
SHA512 3827fe9203c6f846b2b70b8f2570650f5f9b7acd308f4c7992c9d37caf8d72c6df725e2ac521bba67b813505c4ca33fe36ef9c27bcb3edaa970ac7980f5e94f7

C:\Users\Admin\AppData\Local\Temp\TarCE48.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1468-227-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2676-228-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2808-229-0x0000000007610000-0x0000000007650000-memory.dmp

memory/2176-297-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2808-302-0x0000000073040000-0x000000007372E000-memory.dmp

memory/3040-304-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/3040-306-0x0000000000220000-0x0000000000224000-memory.dmp

C:\Users\Admin\AppData\Local\9e499d72-94d8-4c73-88de-40571107f58b\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2676-309-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2052-311-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2808-312-0x0000000007610000-0x0000000007650000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2052-325-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3040-328-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2676-342-0x0000000000400000-0x0000000000465000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 08:46

Reported

2023-10-15 08:49

Platform

win10v2004-20230915-en

Max time kernel

158s

Max time network

189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A6BB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BDD1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0c5a2010-930e-4a6e-bb32-81911a4d2f02\\A6BB.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A6BB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\C285.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\C285.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\C285.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C285.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CAB4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 3780 N/A N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3132 wrote to memory of 3780 N/A N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3132 wrote to memory of 3780 N/A N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3780 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3132 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\Temp\A881.exe
PID 3132 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\Temp\A881.exe
PID 3132 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\Temp\A881.exe
PID 3968 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Windows\SysWOW64\icacls.exe
PID 3968 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Windows\SysWOW64\icacls.exe
PID 3968 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Windows\SysWOW64\icacls.exe
PID 3132 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5EF.exe
PID 3132 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5EF.exe
PID 3968 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3968 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3968 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 3132 wrote to memory of 1124 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3132 wrote to memory of 1124 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 4124 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\A6BB.exe C:\Users\Admin\AppData\Local\Temp\A6BB.exe
PID 1124 wrote to memory of 4872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1124 wrote to memory of 4872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1124 wrote to memory of 4872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3132 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDD1.exe
PID 3132 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDD1.exe
PID 3132 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDD1.exe
PID 2680 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\BDD1.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2680 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\BDD1.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2680 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\BDD1.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3132 wrote to memory of 1836 N/A N/A C:\Users\Admin\AppData\Local\Temp\C285.exe
PID 3132 wrote to memory of 1836 N/A N/A C:\Users\Admin\AppData\Local\Temp\C285.exe
PID 3132 wrote to memory of 1836 N/A N/A C:\Users\Admin\AppData\Local\Temp\C285.exe
PID 4364 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\A881.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3416 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\A881.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3416 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\A881.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3416 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\A881.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3416 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\A881.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3416 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\A881.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3416 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\A881.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3416 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\A881.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3132 wrote to memory of 3940 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAB4.exe
PID 3132 wrote to memory of 3940 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAB4.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

C:\Users\Admin\AppData\Local\Temp\A881.exe

C:\Users\Admin\AppData\Local\Temp\A881.exe

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0c5a2010-930e-4a6e-bb32-81911a4d2f02" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\B5EF.exe

C:\Users\Admin\AppData\Local\Temp\B5EF.exe

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

"C:\Users\Admin\AppData\Local\Temp\A6BB.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BA74.dll

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

"C:\Users\Admin\AppData\Local\Temp\A6BB.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BA74.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4612 -ip 4612

C:\Users\Admin\AppData\Local\Temp\BDD1.exe

C:\Users\Admin\AppData\Local\Temp\BDD1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 568

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\C285.exe

C:\Users\Admin\AppData\Local\Temp\C285.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\CAB4.exe

C:\Users\Admin\AppData\Local\Temp\CAB4.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Users\Admin\AppData\Local\Temp\CAB4.exe

"C:\Users\Admin\AppData\Local\Temp\CAB4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
NL 142.251.36.35:80 tcp
US 188.114.96.0:443 tcp
RU 79.137.192.18:80 tcp
PS 213.6.54.58:443 tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 175.126.109.15:80 wirtshauspost.at tcp
RU 31.41.244.27:41140 tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
US 8.8.8.8:53 15.109.126.175.in-addr.arpa udp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
FR 51.255.152.132:36011 tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 f71a414a-b0db-4b39-ab02-491728d6b2d9.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server7.thestatsfiles.ru udp
US 8.8.8.8:53 stun.sipgate.net udp
BG 185.82.216.96:443 server7.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp

Files

memory/2636-1-0x0000000000600000-0x0000000000700000-memory.dmp

memory/2636-2-0x0000000002300000-0x000000000230B000-memory.dmp

memory/2636-3-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2636-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2636-8-0x0000000002300000-0x000000000230B000-memory.dmp

memory/3132-4-0x0000000000720000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/3780-20-0x0000000004930000-0x00000000049C3000-memory.dmp

memory/3780-21-0x00000000049F0000-0x0000000004B0B000-memory.dmp

memory/3968-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A881.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

C:\Users\Admin\AppData\Local\Temp\A881.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/3968-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3968-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\B5EF.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\0c5a2010-930e-4a6e-bb32-81911a4d2f02\A6BB.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/3968-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4124-47-0x0000000002F10000-0x0000000002FA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA74.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/4612-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4612-51-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6BB.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\BA74.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/4612-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4872-57-0x00000000007B0000-0x00000000007B6000-memory.dmp

memory/4872-58-0x0000000010000000-0x0000000010251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BDD1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\BDD1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\C285.exe

MD5 688bcddee8d887a70a70eb791b44abf5
SHA1 92cc959bb52a864820b438d82b9b17cc45d88ab4
SHA256 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80
SHA512 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a

C:\Users\Admin\AppData\Local\Temp\C285.exe

MD5 688bcddee8d887a70a70eb791b44abf5
SHA1 92cc959bb52a864820b438d82b9b17cc45d88ab4
SHA256 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80
SHA512 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a

memory/1836-79-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/1836-82-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1836-81-0x00000000020C0000-0x00000000020CB000-memory.dmp

memory/1852-83-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAB4.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\CAB4.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1852-86-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/1852-91-0x0000000007C70000-0x0000000008214000-memory.dmp

memory/3812-95-0x0000000000C80000-0x0000000000CEB000-memory.dmp

memory/3812-94-0x0000000000CF0000-0x0000000000D65000-memory.dmp

memory/3812-93-0x0000000000C80000-0x0000000000CEB000-memory.dmp

memory/1852-92-0x0000000007760000-0x00000000077F2000-memory.dmp

memory/1852-96-0x0000000007750000-0x0000000007760000-memory.dmp

memory/1852-97-0x0000000007910000-0x000000000791A000-memory.dmp

memory/2180-99-0x0000000000170000-0x000000000017C000-memory.dmp

memory/3940-102-0x0000000004C00000-0x0000000004FFE000-memory.dmp

memory/2180-103-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2180-107-0x0000000000170000-0x000000000017C000-memory.dmp

memory/4872-111-0x00000000008C0000-0x00000000009DB000-memory.dmp

memory/3940-119-0x0000000005100000-0x00000000059EB000-memory.dmp

memory/1852-118-0x0000000008840000-0x0000000008E58000-memory.dmp

memory/1852-126-0x0000000007AC0000-0x0000000007BCA000-memory.dmp

memory/1852-127-0x00000000079F0000-0x0000000007A02000-memory.dmp

memory/1852-128-0x0000000007A50000-0x0000000007A8C000-memory.dmp

memory/1852-129-0x0000000007BD0000-0x0000000007C1C000-memory.dmp

memory/3940-130-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3812-131-0x0000000000C80000-0x0000000000CEB000-memory.dmp

memory/3132-132-0x0000000002460000-0x0000000002476000-memory.dmp

memory/4872-136-0x0000000000AE0000-0x0000000000BE1000-memory.dmp

memory/4872-137-0x0000000000AE0000-0x0000000000BE1000-memory.dmp

memory/1836-134-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/4872-139-0x0000000000AE0000-0x0000000000BE1000-memory.dmp

memory/4872-140-0x0000000000AE0000-0x0000000000BE1000-memory.dmp

memory/4956-141-0x00007FF6F5500000-0x00007FF6F5E51000-memory.dmp

memory/3200-142-0x00000000044D0000-0x0000000004506000-memory.dmp

memory/3200-143-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/3200-144-0x00000000020D0000-0x00000000020E0000-memory.dmp

memory/3200-145-0x0000000004B40000-0x0000000005168000-memory.dmp

memory/3200-146-0x00000000052E0000-0x0000000005302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlqrzlf0.vvq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3200-154-0x00000000053B0000-0x0000000005416000-memory.dmp

memory/3200-157-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/3200-158-0x0000000005720000-0x0000000005A74000-memory.dmp

memory/1852-159-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/3200-162-0x0000000005A80000-0x0000000005A9E000-memory.dmp

memory/3940-163-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1852-164-0x0000000007750000-0x0000000007760000-memory.dmp

memory/3940-165-0x0000000004C00000-0x0000000004FFE000-memory.dmp

memory/3200-168-0x0000000005FF0000-0x0000000006034000-memory.dmp

memory/4956-169-0x00007FF6F5500000-0x00007FF6F5E51000-memory.dmp

memory/3200-170-0x00000000020D0000-0x00000000020E0000-memory.dmp

memory/3200-171-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/3200-172-0x00000000020D0000-0x00000000020E0000-memory.dmp

memory/852-173-0x0000000000D70000-0x0000000000DCA000-memory.dmp

memory/4956-174-0x00007FF6F5500000-0x00007FF6F5E51000-memory.dmp

memory/852-175-0x00000000728A0000-0x0000000073050000-memory.dmp

C:\Users\Admin\AppData\Roaming\rjrreji

MD5 688bcddee8d887a70a70eb791b44abf5
SHA1 92cc959bb52a864820b438d82b9b17cc45d88ab4
SHA256 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80
SHA512 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a

memory/3200-180-0x00000000020D0000-0x00000000020E0000-memory.dmp

memory/852-181-0x0000000007C90000-0x0000000007CA0000-memory.dmp

memory/852-182-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/3940-184-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3200-185-0x0000000006D70000-0x0000000006DE6000-memory.dmp

memory/852-186-0x0000000007C90000-0x0000000007CA0000-memory.dmp

memory/852-188-0x00000000093E0000-0x00000000093FE000-memory.dmp

memory/3200-189-0x0000000007470000-0x0000000007AEA000-memory.dmp

memory/3200-190-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

memory/852-191-0x00000000096D0000-0x0000000009892000-memory.dmp

memory/3200-192-0x000000007FC10000-0x000000007FC20000-memory.dmp

memory/852-194-0x0000000009DD0000-0x000000000A2FC000-memory.dmp

memory/3200-193-0x0000000006FA0000-0x0000000006FD2000-memory.dmp

memory/3200-195-0x000000006CB60000-0x000000006CBAC000-memory.dmp

memory/3200-196-0x000000006C800000-0x000000006CB54000-memory.dmp

memory/3200-206-0x0000000006F80000-0x0000000006F9E000-memory.dmp

memory/3200-207-0x0000000006FE0000-0x0000000007083000-memory.dmp

memory/3200-208-0x00000000070D0000-0x00000000070DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAB4.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3940-250-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2fab4231869db03b156254240203dcdd
SHA1 aa5c5b88ad90b0f82ff520dc90cefc5d74cfa24c
SHA256 e782f8dfd35006c35ac2c4ac94cfe6576fe7ddb381524d1d93abfd505efc5188
SHA512 20fe2339bd8921b807ddc6753a5ade34ded0f49945012cdbf39c715ab2427457a7c9c0951c6bb96877e618a558e71936957df94ca1b674b53e95531fab2438d3

memory/4924-271-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a8e83807e2751e51952edc87b1459b2d
SHA1 59bc13a8dc9b193d23600b2123a953282bd3cd64
SHA256 11b23190b9de0341b8de32a8be7526d5551e6517a3732ab4416f33d94bef3fa5
SHA512 884db3b12508204823039036e8b3d41c6daaabd6918b4f129dc58fe9f8ff1f21f23a28eb03942a4bad2b790b9d694f51b53385d9656a53f828686f9023bab609

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4924-317-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1352898b0cafaa795912d18e9507bd21
SHA1 db9624b65f273ef09f4962d3dfbbb982a568972f
SHA256 40159d80ee5f5bf4260755ca19f37a14126fe57e89e680d5f29681ddb94e5c3f
SHA512 167ad16b1cc7229d82a773b34cba42306ae701b54831bad3cf2b2813190946537a1212433460e7ba06dedc44b558ba6db40741607aaf8a2cc99f5d0faa0e7766

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3e9a4c5b0f81214b124c2b8e6214b536
SHA1 c79634b7aa8cc5ba0d51ab59190e79b75af13730
SHA256 099a9a3ac128349f0fc061dba23e78eb828a7a4f5c5ed1c26be369a167ec27e2
SHA512 c9c27b281529fee53695efb3aa457088291c3279716ec46cccee4a0f41953455e85347d97995ba7ff712b4f7a3c2837d2f0a5aa7321e6fcdfb1fc35939919695

memory/4884-377-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 898f64e3bc77c08ac5bf1abe5c2c08aa
SHA1 a6d710f5846306af9b3252cb05a8f15cac8a1d92
SHA256 cf04b909d9b45181ca13eb28b396808116ac40c24c737267c608a0082f034a58
SHA512 c1ad7f1a9bca43b5e3a866ec6ee3e876b706654484c347209b8a35050d5054b9a9b5db15d2206f32cb1167500f34a5548b77a92aed8e864caaccb40973481b2e

memory/4884-410-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4884-418-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3016-424-0x0000000000400000-0x00000000008DF000-memory.dmp