Malware Analysis Report

2025-01-18 06:38

Sample ID 231015-rrk7jshf89
Target NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe
SHA256 3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery infostealer persistence ransomware trojan glupteba pub1 collection dropper evasion loader spyware themida upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0

Threat Level: Known bad

The file NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery infostealer persistence ransomware trojan glupteba pub1 collection dropper evasion loader spyware themida upx

RedLine payload

Amadey

Glupteba payload

SmokeLoader

RedLine

Djvu Ransomware

Glupteba

Detected Djvu ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Deletes itself

Modifies file permissions

Loads dropped DLL

Themida packer

Checks computer location settings

Checks BIOS information in registry

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Creates scheduled task(s)

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 14:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 14:25

Reported

2023-10-15 14:28

Platform

win7-20230831-en

Max time kernel

85s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\443710a6-272d-424e-94dc-ae6078de243b\\EE74.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\EE74.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6867.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 1232 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 1232 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 1232 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2744 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Windows\SysWOW64\icacls.exe
PID 2744 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Windows\SysWOW64\icacls.exe
PID 2744 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Windows\SysWOW64\icacls.exe
PID 2744 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Windows\SysWOW64\icacls.exe
PID 1232 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\Temp\1575.exe
PID 1232 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\Temp\1575.exe
PID 1232 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\Temp\1575.exe
PID 2744 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2744 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2744 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2744 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 1232 wrote to memory of 1692 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1232 wrote to memory of 1692 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1232 wrote to memory of 1692 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1232 wrote to memory of 1692 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1232 wrote to memory of 1692 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1692 wrote to memory of 752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 2832 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\EE74.exe C:\Users\Admin\AppData\Local\Temp\EE74.exe
PID 1232 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\6867.exe
PID 1232 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\6867.exe
PID 1232 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\6867.exe
PID 1232 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\Temp\6867.exe
PID 1232 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\Temp\70C1.exe
PID 1232 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\Temp\70C1.exe
PID 1232 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\Temp\70C1.exe
PID 1232 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\Temp\70C1.exe
PID 656 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\6867.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 656 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\6867.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 656 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\6867.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 656 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\6867.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 656 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\6867.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 656 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\6867.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 656 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\6867.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\EE74.exe

C:\Users\Admin\AppData\Local\Temp\EE74.exe

C:\Users\Admin\AppData\Local\Temp\EE74.exe

C:\Users\Admin\AppData\Local\Temp\EE74.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\443710a6-272d-424e-94dc-ae6078de243b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1575.exe

C:\Users\Admin\AppData\Local\Temp\1575.exe

C:\Users\Admin\AppData\Local\Temp\EE74.exe

"C:\Users\Admin\AppData\Local\Temp\EE74.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6653.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6653.dll

C:\Users\Admin\AppData\Local\Temp\EE74.exe

"C:\Users\Admin\AppData\Local\Temp\EE74.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6867.exe

C:\Users\Admin\AppData\Local\Temp\6867.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\70C1.exe

C:\Users\Admin\AppData\Local\Temp\70C1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 72

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp

Files

memory/2344-1-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2344-2-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/2344-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2344-5-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/1232-4-0x0000000002A60000-0x0000000002A76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2816-20-0x0000000000340000-0x00000000003D1000-memory.dmp

memory/2816-21-0x0000000000340000-0x00000000003D1000-memory.dmp

memory/2816-22-0x0000000002DD0000-0x0000000002EEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2744-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2744-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2816-30-0x0000000000340000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2744-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2744-32-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\443710a6-272d-424e-94dc-ae6078de243b\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2744-51-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\1575.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\Temp\1575.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2744-58-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\6653.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/2832-63-0x0000000002C60000-0x0000000002CF1000-memory.dmp

\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\6653.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/2832-64-0x0000000002C60000-0x0000000002CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE74.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/752-74-0x0000000000420000-0x0000000000426000-memory.dmp

memory/2876-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/752-75-0x0000000010000000-0x0000000010251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6867.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\6867.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2876-73-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 3820120339bcec737104401bda1d6848
SHA1 9806ad3398f65df11544313f35d903a28e49acd3
SHA256 f121545d52cad35ba40ae60d3342dd4b800e6edc4f276db5c33daffd3454adfe
SHA512 616cb2a845b96064892393d3b120a2d26e0a6cfba7ff61c72d13b885da352fbf5829f0a49e0f21d83cb04d66ff56116acea41f49a101447fd97e3a4471c90de4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3cc1eab5e14e2d7a01804b22ecf4043
SHA1 1883aeaac8649c5b6848f2131ec56464b964f8fc
SHA256 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512 adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54d5d576db7a95f2c18c1a09c368ba74
SHA1 3780acabe99c556049db50622e3ee89ac11f2c80
SHA256 8c6fb81bfcb58298cae6cef014e74fd167a3dca40b9c10913bce1ebdbf24a8bb
SHA512 3e881f02ee9e1b9590c53349a673b90582c487d89113fe05c493ac11c721f39bf3a73a058063ea84d499b0ccee1f9dc205ce67843a690494aafdbfa9361d4312

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8eb32c9e1c278fc0403fcb7c29cd7295
SHA1 693f6a182875416fdcd3e15e73ee5f7e2d5dde2a
SHA256 c96d7188fa60b03c275e4fef796c27afa8f781031541868677cf5ce8fd9bece9
SHA512 b7788dafec76fb9d9d76641782e4112a600601aaf0a0a8f02de9501d113971769d3269deb8dbf4deb9ba42574b1ac91a520e76aa7785bb97441384adef83af50

C:\Users\Admin\AppData\Local\Temp\Cab6EE9.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/752-95-0x0000000002460000-0x000000000257B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70C1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\70C1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1540-103-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1540-107-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1540-106-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1540-110-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1540-112-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1540-108-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1540-105-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1540-104-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/752-118-0x0000000002580000-0x0000000002681000-memory.dmp

memory/2876-119-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\6867.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\6867.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\6867.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/752-123-0x0000000002580000-0x0000000002681000-memory.dmp

memory/2876-124-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 14:25

Reported

2023-10-15 14:29

Platform

win10v2004-20230915-en

Max time kernel

81s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9A66.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BAC4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3d7d816e-bc95-4f8e-821f-2113cd8e7517\\9A66.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9A66.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BE20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BE20.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BE20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BE20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\C41C.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 1184 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 3128 wrote to memory of 1184 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 3128 wrote to memory of 1184 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 1184 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 5036 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Windows\SysWOW64\icacls.exe
PID 5036 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Windows\SysWOW64\icacls.exe
PID 5036 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Windows\SysWOW64\icacls.exe
PID 5036 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 5036 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 5036 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 3128 wrote to memory of 5088 N/A N/A C:\Users\Admin\AppData\Local\Temp\ADC0.exe
PID 3128 wrote to memory of 5088 N/A N/A C:\Users\Admin\AppData\Local\Temp\ADC0.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 2784 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\9A66.exe C:\Users\Admin\AppData\Local\Temp\9A66.exe
PID 3128 wrote to memory of 4148 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3128 wrote to memory of 4148 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4148 wrote to memory of 4812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4148 wrote to memory of 4812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4148 wrote to memory of 4812 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3128 wrote to memory of 4672 N/A N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe
PID 3128 wrote to memory of 4672 N/A N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe
PID 3128 wrote to memory of 4672 N/A N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe
PID 4672 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\B39E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3128 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\BAC4.exe
PID 3128 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\BAC4.exe
PID 3128 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\BAC4.exe
PID 3128 wrote to memory of 4900 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE20.exe
PID 3128 wrote to memory of 4900 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE20.exe
PID 3128 wrote to memory of 4900 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE20.exe
PID 2228 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\BAC4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2228 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\BAC4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2228 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\BAC4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3128 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\C41C.exe
PID 3128 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\C41C.exe
PID 3128 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\C41C.exe
PID 512 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 512 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.3aec0ad346af22c0b4de3b6ac3a5f685eb2be4be5d250e79b3c6fc0d188766d0exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\9A66.exe

C:\Users\Admin\AppData\Local\Temp\9A66.exe

C:\Users\Admin\AppData\Local\Temp\9A66.exe

C:\Users\Admin\AppData\Local\Temp\9A66.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3d7d816e-bc95-4f8e-821f-2113cd8e7517" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\9A66.exe

"C:\Users\Admin\AppData\Local\Temp\9A66.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ADC0.exe

C:\Users\Admin\AppData\Local\Temp\ADC0.exe

C:\Users\Admin\AppData\Local\Temp\9A66.exe

"C:\Users\Admin\AppData\Local\Temp\9A66.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2180 -ip 2180

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B2A3.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B2A3.dll

C:\Users\Admin\AppData\Local\Temp\B39E.exe

C:\Users\Admin\AppData\Local\Temp\B39E.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4672 -ip 4672

C:\Users\Admin\AppData\Local\Temp\BAC4.exe

C:\Users\Admin\AppData\Local\Temp\BAC4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 264

C:\Users\Admin\AppData\Local\Temp\BE20.exe

C:\Users\Admin\AppData\Local\Temp\BE20.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\C41C.exe

C:\Users\Admin\AppData\Local\Temp\C41C.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C7B7.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C7B7.dll

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\C41C.exe

"C:\Users\Admin\AppData\Local\Temp\C41C.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\grrhfnlxagtw.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
FR 146.59.161.13:39199 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 211.119.84.111:80 wirtshauspost.at tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
KR 211.119.84.111:80 wirtshauspost.at tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
US 8.8.8.8:53 wirtshauspost.at udp
KR 175.120.254.9:80 wirtshauspost.at tcp
US 8.8.8.8:53 9.254.120.175.in-addr.arpa udp
KR 175.120.254.9:80 wirtshauspost.at tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
KR 175.120.254.9:80 wirtshauspost.at tcp
KR 175.120.254.9:80 wirtshauspost.at tcp
KR 175.120.254.9:80 wirtshauspost.at tcp
KR 175.120.254.9:80 wirtshauspost.at tcp
US 8.8.8.8:53 0d0a3149-39fd-49fa-88dd-0ed2c09d7df7.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 server12.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
JP 172.217.213.127:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 127.213.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp

Files

memory/3576-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/3576-2-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/3576-3-0x0000000000760000-0x000000000076B000-memory.dmp

memory/3128-4-0x0000000007050000-0x0000000007066000-memory.dmp

memory/3576-5-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/3128-11-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-12-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-14-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-15-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-13-0x00000000071D0000-0x00000000071E0000-memory.dmp

memory/3128-16-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-18-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-20-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-22-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-19-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-17-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-23-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-24-0x00000000080F0000-0x0000000008100000-memory.dmp

memory/3128-26-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-25-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-27-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

memory/3128-28-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-29-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-30-0x00000000071D0000-0x00000000071E0000-memory.dmp

memory/3128-32-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-34-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-35-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-36-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-37-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

memory/3128-38-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-40-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-39-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-41-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-42-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-44-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-43-0x00000000071C0000-0x00000000071D0000-memory.dmp

memory/3128-45-0x00000000071C0000-0x00000000071D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A66.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\9A66.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1184-55-0x0000000004900000-0x0000000004A1B000-memory.dmp

memory/1184-54-0x0000000002DC0000-0x0000000002E54000-memory.dmp

memory/5036-56-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A66.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/5036-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5036-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5036-60-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3d7d816e-bc95-4f8e-821f-2113cd8e7517\9A66.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\9A66.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/5036-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ADC0.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

memory/2784-76-0x00000000047D0000-0x000000000486E000-memory.dmp

memory/2180-79-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A66.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2180-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2180-82-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B2A3.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\B39E.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\B2A3.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/4812-90-0x0000000000B10000-0x0000000000B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B39E.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/4812-91-0x0000000010000000-0x0000000010251000-memory.dmp

memory/2308-93-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BAC4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2308-97-0x0000000073180000-0x0000000073930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BAC4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2308-109-0x0000000007B40000-0x00000000080E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\BE20.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Users\Admin\AppData\Local\Temp\BE20.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

memory/2308-115-0x0000000007670000-0x0000000007702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4900-117-0x00000000008B0000-0x00000000009B0000-memory.dmp

memory/4900-118-0x0000000000820000-0x000000000082B000-memory.dmp

memory/2308-120-0x00000000077B0000-0x00000000077C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C41C.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2308-122-0x0000000007760000-0x000000000776A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C41C.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4900-119-0x0000000000400000-0x00000000005B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7B7.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/2308-131-0x0000000007A10000-0x0000000007B1A000-memory.dmp

memory/2308-133-0x0000000007940000-0x0000000007952000-memory.dmp

memory/1460-135-0x0000000000D50000-0x0000000000DBB000-memory.dmp

memory/2308-134-0x00000000079A0000-0x00000000079DC000-memory.dmp

memory/1460-136-0x0000000001000000-0x0000000001075000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7B7.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/1460-137-0x0000000000D50000-0x0000000000DBB000-memory.dmp

memory/4612-140-0x0000000000C90000-0x0000000000C96000-memory.dmp

memory/2232-142-0x0000000004D00000-0x00000000050F9000-memory.dmp

memory/2308-139-0x00000000080F0000-0x000000000813C000-memory.dmp

memory/1796-144-0x0000000000B60000-0x0000000000B6C000-memory.dmp

memory/2232-148-0x0000000005100000-0x00000000059EB000-memory.dmp

memory/1796-152-0x0000000000B60000-0x0000000000B6C000-memory.dmp

memory/4812-130-0x00000000028C0000-0x00000000029DB000-memory.dmp

memory/2308-128-0x0000000008710000-0x0000000008D28000-memory.dmp

memory/1796-162-0x0000000005100000-0x00000000059EB000-memory.dmp

memory/2232-169-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4812-170-0x00000000029E0000-0x0000000002AE1000-memory.dmp

memory/4812-172-0x00000000029E0000-0x0000000002AE1000-memory.dmp

memory/5088-171-0x00007FF6CF6B0000-0x00007FF6D0001000-memory.dmp

memory/4900-175-0x0000000000400000-0x00000000005B5000-memory.dmp

memory/3128-173-0x0000000007190000-0x00000000071A6000-memory.dmp

memory/4812-178-0x00000000029E0000-0x0000000002AE1000-memory.dmp

memory/1460-179-0x0000000000D50000-0x0000000000DBB000-memory.dmp

memory/4812-180-0x0000000010000000-0x0000000010251000-memory.dmp

memory/2308-181-0x0000000073180000-0x0000000073930000-memory.dmp

memory/4812-182-0x00000000029E0000-0x0000000002AE1000-memory.dmp

memory/2308-184-0x00000000077B0000-0x00000000077C0000-memory.dmp

memory/2328-183-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

memory/2328-185-0x0000000073180000-0x0000000073930000-memory.dmp

memory/2328-186-0x0000000005220000-0x0000000005230000-memory.dmp

memory/4612-187-0x0000000002A90000-0x0000000002BAB000-memory.dmp

memory/2328-188-0x0000000005860000-0x0000000005E88000-memory.dmp

memory/2328-189-0x00000000056E0000-0x0000000005702000-memory.dmp

memory/2328-190-0x00000000057B0000-0x0000000005816000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbby1402.gyq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2328-196-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/2328-201-0x0000000006000000-0x0000000006354000-memory.dmp

memory/2232-202-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4612-204-0x0000000002BB0000-0x0000000002CB1000-memory.dmp

memory/4612-206-0x0000000002BB0000-0x0000000002CB1000-memory.dmp

memory/2328-207-0x00000000064C0000-0x00000000064DE000-memory.dmp

memory/4612-209-0x0000000002BB0000-0x0000000002CB1000-memory.dmp

memory/2232-210-0x0000000004D00000-0x00000000050F9000-memory.dmp

memory/2232-211-0x0000000005100000-0x00000000059EB000-memory.dmp

memory/2328-212-0x0000000006890000-0x00000000068D4000-memory.dmp

memory/5088-213-0x00007FF6CF6B0000-0x00007FF6D0001000-memory.dmp

memory/1796-214-0x0000000005100000-0x00000000059EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

memory/2232-251-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1336-255-0x00007FF6E7F40000-0x00007FF6E9179000-memory.dmp

memory/1336-263-0x00007FF6E7F40000-0x00007FF6E9179000-memory.dmp

memory/1336-265-0x00007FF6E7F40000-0x00007FF6E9179000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\C41C.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Roaming\egfbheu

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 787733a9f9e883cdad571a8a6c1cc006
SHA1 efc2ca6ff47d0481ba0506196d4b46602ec3fea3
SHA256 1dddf6a66bd78bfbc9dfc06d474070f2b44c51cf0693e8c4207fb148b5a30451
SHA512 c7e0011735bd5dee186cacda0ae81c5613946d56c662a5fab7311b1296fb26a3a77d0b76aadda155d9d684eceafa18ec6736a1dab7cf81c9368a2c0d41d8d44c

C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Program Files\Google\Chrome\updater.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9fff5a7a54676eb9ef805ba055346e13
SHA1 1d9580b8c6224003ed7fd739f6e05e715d9f2911
SHA256 28e1bc42bc91fe9377c8f6a8888affe17eab13284ce524dae2c8eeb4a5f15f48
SHA512 e81dd4a3ae6b4f14cd85ef33ebf34429bbb4a2c90535366270a272bedc19cd074db28940943dc677ed442bfdfb86b6f94cf6a25972d8bcee771bcc87f2470c22

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 682096c94c2f452f7ef4bd008b2430fa
SHA1 003e5c32b9d020df871198321b03f4240694126c
SHA256 1d5666bb77fac24ddb90d8f6128ea3ec533ce987d2c44eb3e7c7ce058a12bb5d
SHA512 0a10fb204d78f2bba689fe0c06d4784716c5c257d8ab534769c801c69f4f8417207f371ec923b9f3a919c76a8b9c077a49af5325e1ff895bb849edd1eaedcd6d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b7f13dd2a946fc03692e3a9d19868bf2
SHA1 73d5dcc2ce9ede0bb89a108e5bbd972de228717d
SHA256 c94fdb7254ae1b5c3e9a4c8f73f9b0b9ea1e419cf000ed34dd30febdbd7d52f2
SHA512 e9e9065d3687fb516ab6817203098ec9adaa36542f9549665369aa06fb97d25c31b8c70575cb0f24079b3356e4452ce0740283d0c3cfc32275492db4a50889ba

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 776818c08f21ccf964ff682aa584282a
SHA1 edb3b06b52d4ab5b7dd7be3fff768e016627cf9e
SHA256 0edc696a348dfabd9f389e680ed3b88b05ed6bad68d17158eb8e0f35cd1fa9c1
SHA512 efcdbd4fe6a5b125d9246410ca6366dc812b23e82a34e586300a9708e7b375f0bc8c8d3d8d95d6b53f64b08b24956d123b8f2b64432f62362a066eaaba9e4169

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\System32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\TEMP\grrhfnlxagtw.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Program Files\Google\Chrome\updater.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4