Malware Analysis Report

2025-01-18 05:35

Sample ID 231015-sgh5waac68
Target NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe
SHA256 afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceeb
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan vidar d37c48c18c73cc0e155c7e1dfde06db9 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceeb

Threat Level: Known bad

The file NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan vidar d37c48c18c73cc0e155c7e1dfde06db9 stealer

RedLine

Amadey

Glupteba payload

RedLine payload

Vidar

Djvu Ransomware

Glupteba

Detected Djvu ransomware

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Checks BIOS information in registry

Themida packer

Executes dropped EXE

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 15:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 15:05

Reported

2023-10-15 15:09

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\22A7.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\22A7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\22A7.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\34AA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1EED.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8112e5cb-f2bd-480c-bcd8-bad8e34e8620\\1EED.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1EED.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\22A7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22A7.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5748.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3E02.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3E02.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3E02.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\5748.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3E02.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22A7.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5748.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 3400 N/A N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3152 wrote to memory of 3400 N/A N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3152 wrote to memory of 3400 N/A N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3152 wrote to memory of 3460 N/A N/A C:\Users\Admin\AppData\Local\Temp\22A7.exe
PID 3152 wrote to memory of 3460 N/A N/A C:\Users\Admin\AppData\Local\Temp\22A7.exe
PID 3152 wrote to memory of 3460 N/A N/A C:\Users\Admin\AppData\Local\Temp\22A7.exe
PID 3152 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe
PID 3152 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe
PID 3152 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3400 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Users\Admin\AppData\Local\Temp\1EED.exe
PID 3152 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\Temp\34AA.exe
PID 3152 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\Temp\34AA.exe
PID 3152 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\Temp\34AA.exe
PID 1372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2C0E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3152 wrote to memory of 3928 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E02.exe
PID 3152 wrote to memory of 3928 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E02.exe
PID 3152 wrote to memory of 3928 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E02.exe
PID 1028 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\34AA.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1028 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\34AA.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1028 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\34AA.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1192 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1192 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1192 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3152 wrote to memory of 3988 N/A N/A C:\Users\Admin\AppData\Local\Temp\5748.exe
PID 3152 wrote to memory of 3988 N/A N/A C:\Users\Admin\AppData\Local\Temp\5748.exe
PID 3152 wrote to memory of 3988 N/A N/A C:\Users\Admin\AppData\Local\Temp\5748.exe
PID 1192 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 768 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Windows\SysWOW64\icacls.exe
PID 768 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Windows\SysWOW64\icacls.exe
PID 768 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\1EED.exe C:\Windows\SysWOW64\icacls.exe
PID 3152 wrote to memory of 1996 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3152 wrote to memory of 1996 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1996 wrote to memory of 3708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 3708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 3708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 648 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 648 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 648 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 648 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 648 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 648 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 648 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\1EED.exe

C:\Users\Admin\AppData\Local\Temp\1EED.exe

C:\Users\Admin\AppData\Local\Temp\22A7.exe

C:\Users\Admin\AppData\Local\Temp\22A7.exe

C:\Users\Admin\AppData\Local\Temp\2C0E.exe

C:\Users\Admin\AppData\Local\Temp\2C0E.exe

C:\Users\Admin\AppData\Local\Temp\1EED.exe

C:\Users\Admin\AppData\Local\Temp\1EED.exe

C:\Users\Admin\AppData\Local\Temp\34AA.exe

C:\Users\Admin\AppData\Local\Temp\34AA.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\3E02.exe

C:\Users\Admin\AppData\Local\Temp\3E02.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1372 -ip 1372

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 140

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\5748.exe

C:\Users\Admin\AppData\Local\Temp\5748.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8112e5cb-f2bd-480c-bcd8-bad8e34e8620" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5A66.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\5A66.dll

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\665D.exe

C:\Users\Admin\AppData\Local\Temp\665D.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1EED.exe

"C:\Users\Admin\AppData\Local\Temp\1EED.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1EED.exe

"C:\Users\Admin\AppData\Local\Temp\1EED.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5748.exe

"C:\Users\Admin\AppData\Local\Temp\5748.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
AR 190.139.250.133:80 wirtshauspost.at tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 133.250.139.190.in-addr.arpa udp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
AR 190.139.250.133:80 wirtshauspost.at tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/1032-1-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/1032-2-0x0000000000860000-0x000000000086B000-memory.dmp

memory/1032-3-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/3152-4-0x0000000007000000-0x0000000007016000-memory.dmp

memory/1032-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1032-8-0x0000000000860000-0x000000000086B000-memory.dmp

memory/3152-9-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-10-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-11-0x00000000070B0000-0x00000000070C0000-memory.dmp

memory/3152-12-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-13-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-14-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-15-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-16-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-18-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-20-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-21-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-22-0x00000000070D0000-0x00000000070E0000-memory.dmp

memory/3152-23-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-25-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-27-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-29-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-26-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-33-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-31-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-34-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-24-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-36-0x00000000070B0000-0x00000000070C0000-memory.dmp

memory/3152-39-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-38-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-37-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-35-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-40-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-42-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-43-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-47-0x00000000070D0000-0x00000000070E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1EED.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\1EED.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3152-56-0x00000000070A0000-0x00000000070B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22A7.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/3152-61-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-63-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-65-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-68-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3460-64-0x0000000000C30000-0x00000000013B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22A7.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

C:\Users\Admin\AppData\Local\Temp\2C0E.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3460-74-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3460-75-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3152-73-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-80-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3460-81-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/768-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-89-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3400-88-0x0000000004860000-0x00000000048F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1EED.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3460-84-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3152-83-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/768-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-79-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3460-78-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3460-77-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3152-76-0x00000000070A0000-0x00000000070B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C0E.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3152-94-0x0000000007870000-0x0000000007873000-memory.dmp

memory/3152-97-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-98-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3460-99-0x0000000077E14000-0x0000000077E16000-memory.dmp

memory/768-100-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-104-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-108-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/768-105-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3152-102-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-93-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-91-0x0000000007860000-0x0000000007861000-memory.dmp

memory/3400-90-0x0000000004A00000-0x0000000004B1B000-memory.dmp

memory/3152-71-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-110-0x00000000070A0000-0x00000000070B0000-memory.dmp

memory/3152-113-0x00000000070A0000-0x00000000070B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34AA.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3460-112-0x0000000000C30000-0x00000000013B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34AA.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3460-118-0x0000000005CC0000-0x0000000006264000-memory.dmp

memory/2408-119-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3460-120-0x00000000057B0000-0x0000000005842000-memory.dmp

memory/3460-122-0x0000000000C30000-0x00000000013B0000-memory.dmp

memory/3460-123-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3460-125-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3460-126-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3460-124-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3152-127-0x0000000007870000-0x0000000007873000-memory.dmp

memory/3460-128-0x0000000075E10000-0x0000000075F00000-memory.dmp

memory/3460-129-0x0000000075E10000-0x0000000075F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E02.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

memory/3460-132-0x0000000005950000-0x00000000059EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E02.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2408-135-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/2408-141-0x0000000007930000-0x0000000007940000-memory.dmp

memory/3460-146-0x0000000005760000-0x000000000576A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3928-145-0x0000000000660000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5748.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\5748.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/768-161-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A66.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Local\Temp\5A66.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/3708-171-0x0000000010000000-0x00000000101E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\665D.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\665D.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

memory/3152-181-0x0000000007820000-0x0000000007836000-memory.dmp

memory/1668-182-0x0000000000400000-0x000000000046B000-memory.dmp

memory/3928-187-0x0000000000400000-0x00000000005B5000-memory.dmp

C:\Users\Admin\AppData\Local\8112e5cb-f2bd-480c-bcd8-bad8e34e8620\1EED.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2960-189-0x0000000000320000-0x000000000032C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1EED.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/768-215-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3708-218-0x0000000002630000-0x0000000002753000-memory.dmp

memory/3708-219-0x0000000002760000-0x0000000002868000-memory.dmp

memory/3708-221-0x0000000002760000-0x0000000002868000-memory.dmp

memory/3708-224-0x0000000002760000-0x0000000002868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1EED.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/4344-228-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4344-231-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4344-234-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3708-235-0x0000000002760000-0x0000000002868000-memory.dmp

memory/3988-236-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3988-252-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\hsuvbsc

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duupbfz2.dk4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 c671d50d589ce7be9ad3ff4035e6ad63
SHA1 88cdc154077c8264149cb8b19e16ba07901e1dd6
SHA256 fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568
SHA512 a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9

C:\Users\Admin\AppData\Local\Temp\5748.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c01b17e75622660377f1b5f94e9bbf01
SHA1 2073ccaa9ef35aef12d39021521759c976008c52
SHA256 fa03cf73b40caecd17809e02592ea04909e1744d4740247a7ad3c4b79a55bd45
SHA512 3676b7d32771b1f9b5cee807269b0a4c454df503d0b9d7c4634190c163e0894212aefa2cda5e9aaa92d81d266a71eea19fbf9ccf0e1136ababff82fbbc923361

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 de6559b70e6b911a13e57128260e5064
SHA1 c122df8c88f0496ca80aba7d6558a3225d2050fe
SHA256 6c3616824742e110a2075960f62fa6427f11147ab9cf39dcb7a201c9c4a0de6e
SHA512 3d27ba4d82cc92e707b3ab787be6cdc6c6237db523548907070855c729483d9dbdd286e4956b08af4d65b70631ea19145aac1cc720b731365f9b88dda56ba7e9

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 15:05

Reported

2023-10-15 15:10

Platform

win7-20230831-en

Max time kernel

44s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\E6F6.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\E6F6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\E6F6.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eb114921-e403-45c7-92da-e4bcfebb335c\\E1B8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E1B8.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\E6F6.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E6F6.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EA51.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 620 N/A N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1268 wrote to memory of 620 N/A N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1268 wrote to memory of 620 N/A N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1268 wrote to memory of 620 N/A N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 620 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1268 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6F6.exe
PID 1268 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6F6.exe
PID 1268 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6F6.exe
PID 1268 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6F6.exe
PID 1268 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe
PID 1268 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe
PID 1268 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe
PID 1268 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\SysWOW64\WerFault.exe
PID 2900 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\SysWOW64\WerFault.exe
PID 2900 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\SysWOW64\WerFault.exe
PID 2900 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\EA51.exe C:\Windows\SysWOW64\WerFault.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 2792 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 2792 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 2792 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 1268 wrote to memory of 2316 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF1A.exe
PID 1268 wrote to memory of 2316 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF1A.exe
PID 1268 wrote to memory of 2316 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF1A.exe
PID 1268 wrote to memory of 2316 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF1A.exe
PID 1060 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\E1B8.exe C:\Users\Admin\AppData\Local\Temp\E1B8.exe
PID 2316 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\FF1A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2316 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\FF1A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

C:\Users\Admin\AppData\Local\Temp\E6F6.exe

C:\Users\Admin\AppData\Local\Temp\E6F6.exe

C:\Users\Admin\AppData\Local\Temp\EA51.exe

C:\Users\Admin\AppData\Local\Temp\EA51.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 72

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\eb114921-e403-45c7-92da-e4bcfebb335c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

"C:\Users\Admin\AppData\Local\Temp\E1B8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FF1A.exe

C:\Users\Admin\AppData\Local\Temp\FF1A.exe

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

"C:\Users\Admin\AppData\Local\Temp\E1B8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\ACE.exe

C:\Users\Admin\AppData\Local\Temp\ACE.exe

C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe

"C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {14EA78BB-7F4F-4D2F-84B6-1F1237AC5AF3} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2052.dll

C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe

"C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2052.dll

C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe

"C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\A309.exe

C:\Users\Admin\AppData\Local\Temp\A309.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\wffewjf

C:\Users\Admin\AppData\Roaming\wffewjf

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
KR 175.119.10.231:80 zexeq.com tcp
KR 211.104.254.139:80 zexeq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
KR 175.119.10.231:80 zexeq.com tcp
FR 146.59.161.13:39199 tcp
RU 31.41.244.27:41140 tcp

Files

memory/2804-1-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2804-2-0x00000000002A0000-0x00000000002AB000-memory.dmp

memory/2804-3-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1268-4-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

memory/2804-8-0x00000000002A0000-0x00000000002AB000-memory.dmp

memory/2804-5-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/620-21-0x0000000000230000-0x00000000002C1000-memory.dmp

memory/620-22-0x0000000000230000-0x00000000002C1000-memory.dmp

memory/620-23-0x00000000045C0000-0x00000000046DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2792-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2792-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/620-30-0x0000000000230000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2792-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-33-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E6F6.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/2416-38-0x00000000008F0000-0x0000000001070000-memory.dmp

memory/2416-39-0x00000000761D0000-0x00000000762E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA51.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\EA51.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2416-43-0x0000000075600000-0x0000000075647000-memory.dmp

memory/2416-49-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-50-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-51-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-53-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-54-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-55-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-56-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-57-0x0000000075600000-0x0000000075647000-memory.dmp

memory/2416-58-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-59-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-60-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-61-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-62-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-63-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-64-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-65-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-66-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-67-0x0000000077750000-0x0000000077752000-memory.dmp

memory/576-68-0x0000000000400000-0x000000000043E000-memory.dmp

memory/576-69-0x0000000000400000-0x000000000043E000-memory.dmp

memory/576-70-0x0000000000400000-0x000000000043E000-memory.dmp

memory/576-71-0x0000000000400000-0x000000000043E000-memory.dmp

memory/576-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/576-73-0x0000000000400000-0x000000000043E000-memory.dmp

memory/576-77-0x0000000000400000-0x000000000043E000-memory.dmp

memory/576-75-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\EA51.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\EA51.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\EA51.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2416-81-0x00000000008F0000-0x0000000001070000-memory.dmp

memory/2416-82-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/576-83-0x00000000744D0000-0x0000000074BBE000-memory.dmp

\Users\Admin\AppData\Local\Temp\EA51.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\eb114921-e403-45c7-92da-e4bcfebb335c\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/576-103-0x00000000043B0000-0x00000000043F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2416-102-0x00000000053F0000-0x0000000005430000-memory.dmp

memory/2792-107-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1060-109-0x0000000000310000-0x00000000003A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\FF1A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1060-110-0x0000000000310000-0x00000000003A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E1B8.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1072-125-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1060-124-0x0000000000310000-0x00000000003A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF1A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1072-127-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2416-128-0x00000000008F0000-0x0000000001070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2416-133-0x00000000761D0000-0x00000000762E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ba0f25b45573475072812e3e6be96d2
SHA1 f5c62c1b154c665c2aaf9b6c62f45e5fb57cf2fc
SHA256 57abed2dc76d897fe9c0496e2078deefcc488bfdd3cdf5899ae5d0b3a4bf5dd0
SHA512 efdcbd2240dd4b01c3a8694a814ba6d878d8b887f04c7f7d968fc396aa0b5b533ea42aab9ad6e18f5c390c797211859fa0d5d3acb23ac3589943d0b499b45eca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e3dd3b18ee77c1cd3c710e84c991febd
SHA1 0bd43c01acc5ff803d5f0acbb185d526f0b09740
SHA256 caf85d004b2908c3a32939d6273a1b751fce0a48ff17f1d0f8f3a8a03d493037
SHA512 7c056952badf383a10502ffb8828a6dcdec5ff1d2c1b13f7ad4f15df4f79f7ed38aacc12506fc686f0783d08b5ee09dfea6926c9854e9eb090278ad896e0b7a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3cc1eab5e14e2d7a01804b22ecf4043
SHA1 1883aeaac8649c5b6848f2131ec56464b964f8fc
SHA256 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512 adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 077e9c180155af4ff27627e6486a8cf8
SHA1 6b85fd3025fe7ae9d16b54be39904400847b4715
SHA256 cfa792bed5643bb98f5f828fe2e45f3673fdfa273ffe86aecff4c536f795c035
SHA512 10c4006a87b7492f1a6d7a03ff1aa3104a41b7405d0b74aa5a87b4dc68285571174dac9f0042202172e246127bd808a55816e7153d8f78db8c464b30ab7852ab

C:\Users\Admin\AppData\Local\Temp\Cab223.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1072-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1072-148-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2416-149-0x0000000075600000-0x0000000075647000-memory.dmp

memory/2416-150-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-151-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-152-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-153-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-154-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-155-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/320-166-0x0000000004920000-0x0000000004D18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ACE.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2416-168-0x00000000761D0000-0x00000000762E0000-memory.dmp

memory/2416-169-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/320-170-0x0000000004920000-0x0000000004D18000-memory.dmp

memory/576-171-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/320-172-0x0000000004D20000-0x000000000560B000-memory.dmp

memory/320-176-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ACE.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1072-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1072-179-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1072-180-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2416-197-0x00000000053F0000-0x0000000005430000-memory.dmp

memory/2332-198-0x00000000022B0000-0x0000000002301000-memory.dmp

memory/576-199-0x00000000043B0000-0x00000000043F0000-memory.dmp

memory/2332-195-0x00000000002B4000-0x00000000002E3000-memory.dmp

C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1492-193-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2052.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/1492-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\Temp\2052.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2660-204-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2660-203-0x00000000001A0000-0x00000000001A6000-memory.dmp

memory/1072-206-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ACE.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1072-219-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/320-222-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2416-223-0x00000000004E0000-0x00000000004FC000-memory.dmp

memory/2416-225-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-224-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-227-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-229-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-231-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-236-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-234-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-238-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-242-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-240-0x00000000004E0000-0x00000000004F5000-memory.dmp

memory/2416-251-0x0000000000500000-0x0000000000501000-memory.dmp

memory/2780-268-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2416-274-0x00000000053F0000-0x0000000005430000-memory.dmp

memory/2780-275-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2780-276-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2780-277-0x0000000000770000-0x00000000007B0000-memory.dmp

\Users\Admin\AppData\Local\Temp\A309.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

\Users\Admin\AppData\Local\Temp\A309.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\A309.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\A309.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Roaming\wffewjf

MD5 9b9f7d15b36027928f3bf3397139eca3
SHA1 cc3816b1ab8a4fb9518aa28550bf2fe718d1c305
SHA256 afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceeb
SHA512 6051df3dcee86f2a609440f30d56dd78f0b45ade920173773e08966fb5a1b0796dac86a43702fe7a3185a5de78ecac51bc80ac6f59c200c14d138711b14f85f8

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\wffewjf

MD5 9b9f7d15b36027928f3bf3397139eca3
SHA1 cc3816b1ab8a4fb9518aa28550bf2fe718d1c305
SHA256 afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceeb
SHA512 6051df3dcee86f2a609440f30d56dd78f0b45ade920173773e08966fb5a1b0796dac86a43702fe7a3185a5de78ecac51bc80ac6f59c200c14d138711b14f85f8