Malware Analysis Report

2025-01-18 05:34

Sample ID 231015-vvbdasbg24
Target file
SHA256 deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
Tags
amadey djvu glupteba redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) backdoor discovery dropper evasion infostealer loader ransomware stealer themida trojan pub1 collection persistence rootkit spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) backdoor discovery dropper evasion infostealer loader ransomware stealer themida trojan pub1 collection persistence rootkit spyware upx

Glupteba payload

Djvu Ransomware

RedLine

Glupteba

Detected Djvu ransomware

SmokeLoader

RedLine payload

Amadey

Vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Themida packer

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Checks SCSI registry key(s)

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 17:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 17:18

Reported

2023-10-15 17:21

Platform

win7-20230831-en

Max time kernel

46s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\365D.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\365D.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\365D.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\365D.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\365D.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 2656 set thread context of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\39B8.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 1276 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 1276 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 1276 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 3068 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\31CA.exe C:\Users\Admin\AppData\Local\Temp\31CA.exe
PID 1276 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\Temp\365D.exe
PID 1276 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\Temp\365D.exe
PID 1276 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\Temp\365D.exe
PID 1276 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\Temp\365D.exe
PID 1276 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe
PID 1276 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe
PID 1276 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe
PID 1276 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe
PID 1276 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Temp\430C.exe
PID 1276 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Temp\430C.exe
PID 1276 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Temp\430C.exe
PID 1276 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Temp\430C.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1276 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B95.exe
PID 1276 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B95.exe
PID 1276 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B95.exe
PID 1276 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B95.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2656 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2656 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2656 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2656 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\39B8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\430C.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2516 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\430C.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2516 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\430C.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2516 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\430C.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2172 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1276 wrote to memory of 292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1276 wrote to memory of 292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1276 wrote to memory of 292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1276 wrote to memory of 292 N/A N/A C:\Windows\system32\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\31CA.exe

C:\Users\Admin\AppData\Local\Temp\31CA.exe

C:\Users\Admin\AppData\Local\Temp\31CA.exe

C:\Users\Admin\AppData\Local\Temp\31CA.exe

C:\Users\Admin\AppData\Local\Temp\365D.exe

C:\Users\Admin\AppData\Local\Temp\365D.exe

C:\Users\Admin\AppData\Local\Temp\39B8.exe

C:\Users\Admin\AppData\Local\Temp\39B8.exe

C:\Users\Admin\AppData\Local\Temp\430C.exe

C:\Users\Admin\AppData\Local\Temp\430C.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\4B95.exe

C:\Users\Admin\AppData\Local\Temp\4B95.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 72

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\55F2.dll

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\55F2.dll

C:\Users\Admin\AppData\Local\Temp\6A0F.exe

C:\Users\Admin\AppData\Local\Temp\6A0F.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\dd747644-8f85-4c87-9099-eef4762b47f7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\31CA.exe

"C:\Users\Admin\AppData\Local\Temp\31CA.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\31CA.exe

"C:\Users\Admin\AppData\Local\Temp\31CA.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015171946.log C:\Windows\Logs\CBS\CbsPersist_20231015171946.cab

C:\Windows\system32\taskeng.exe

taskeng.exe {B8D879BD-4C7E-4007-82D6-F266A35C0DEA} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\jibicac

C:\Users\Admin\AppData\Roaming\jibicac

C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build2.exe

"C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build2.exe"

C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build2.exe

"C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build2.exe"

C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build3.exe

"C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build3.exe"

C:\Users\Admin\AppData\Local\Temp\4B95.exe

"C:\Users\Admin\AppData\Local\Temp\4B95.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 tcp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 colisumy.com udp
PA 190.219.136.87:80 colisumy.com tcp
PA 190.219.136.87:80 colisumy.com tcp
PA 190.219.136.87:80 colisumy.com tcp

Files

memory/2080-1-0x0000000000760000-0x0000000000860000-memory.dmp

memory/2080-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2080-3-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/2080-5-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/1276-4-0x0000000002B40000-0x0000000002B56000-memory.dmp

memory/2080-8-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3068-21-0x00000000043D0000-0x0000000004461000-memory.dmp

memory/3068-22-0x00000000043D0000-0x0000000004461000-memory.dmp

memory/3068-23-0x00000000044A0000-0x00000000045BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2680-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2680-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3068-32-0x00000000043D0000-0x0000000004461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\365D.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/2600-36-0x0000000000260000-0x00000000009E0000-memory.dmp

memory/2680-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-39-0x0000000075FD0000-0x00000000760E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\39B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2600-45-0x00000000760E0000-0x0000000076127000-memory.dmp

memory/2600-46-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-47-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-48-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-49-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-50-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2680-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-52-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-53-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-57-0x00000000760E0000-0x0000000076127000-memory.dmp

memory/2600-58-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-59-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-60-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-61-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-62-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-64-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-65-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-66-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-67-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-68-0x0000000077B60000-0x0000000077B62000-memory.dmp

memory/2600-63-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-55-0x0000000075FD0000-0x00000000760E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\430C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\430C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4B95.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\4B95.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2580-83-0x0000000004B10000-0x0000000004F08000-memory.dmp

memory/2512-81-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2512-84-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2512-85-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2512-86-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2512-87-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2512-88-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2512-93-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2512-95-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2600-98-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/2580-99-0x0000000004F10000-0x00000000057FB000-memory.dmp

memory/2580-100-0x0000000000400000-0x0000000002FB8000-memory.dmp

\Users\Admin\AppData\Local\Temp\39B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\39B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\39B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2580-104-0x0000000004B10000-0x0000000004F08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2512-107-0x00000000749D0000-0x00000000750BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55F2.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2600-109-0x0000000000260000-0x00000000009E0000-memory.dmp

memory/2600-112-0x0000000000260000-0x00000000009E0000-memory.dmp

memory/2600-113-0x00000000760E0000-0x0000000076127000-memory.dmp

memory/2600-114-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-116-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-119-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-120-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-118-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-117-0x0000000075FD0000-0x00000000760E0000-memory.dmp

memory/2600-115-0x0000000075FD0000-0x00000000760E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\6A0F.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\6A0F.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

\Users\Admin\AppData\Local\Temp\6A0F.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\6A0F.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

\Users\Admin\AppData\Local\Temp\55F2.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2600-130-0x0000000075FD0000-0x00000000760E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B95.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/528-133-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2580-134-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/528-136-0x0000000000060000-0x000000000006C000-memory.dmp

memory/528-135-0x0000000000070000-0x0000000000071000-memory.dmp

memory/1728-140-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2600-141-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/1728-143-0x0000000000190000-0x0000000000196000-memory.dmp

memory/2512-159-0x00000000749D0000-0x00000000750BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\39B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\dd747644-8f85-4c87-9099-eef4762b47f7\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1616-163-0x0000000000150000-0x00000000001BB000-memory.dmp

memory/1616-164-0x00000000001C0000-0x0000000000235000-memory.dmp

memory/1616-165-0x0000000000150000-0x00000000001BB000-memory.dmp

memory/1616-178-0x0000000000150000-0x00000000001BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2680-181-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1516-184-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/1516-185-0x00000000002E0000-0x0000000000371000-memory.dmp

\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\31CA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2332-193-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9BD2.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c96ba16ca3d285722f5e64b85894b45
SHA1 d9ecd3ee92589e1aed81cd9f5eec2639dc5d803d
SHA256 2c16810f89a902aedb6c718214426307531afc5351c20e8c8df7dd082414ff26
SHA512 24d844fac21d619dfa19bb16d439d55386eee0b67ae40ab4b96f785664c2edd353ab82775919ea466f4bd87bd3aefc4a696cf8dac2d98c12f314eb9cb6c4b75b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 67eb079208e0ccd5a10937eb261f834c
SHA1 3e7affae69c541eea43c200da55b5307b7cf873c
SHA256 305282a54b809dc2606cd732f36da44400a6e7958cb822b048fa8caad1430363
SHA512 274e60d64639b5fa72abaa5ae4975783a65acbba9157f1124ad12d63a44518aef9546c858f41a41c2136e8935f790a34ca0178896409d09062d53417093e4020

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3cc1eab5e14e2d7a01804b22ecf4043
SHA1 1883aeaac8649c5b6848f2131ec56464b964f8fc
SHA256 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512 adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c6ff131c28a0352779395fadbcae8ae7
SHA1 60dfc344b21440d52eadf47576a7983b82582f3b
SHA256 864c2c68dcd3321e8c077dc9b2bd7f6c12efd53a8536cb7b1f70baa8196b528f
SHA512 755fca24030a5dd61beeb8acf60c8907a717f260a45d02d5368e1f1c09d40c13969107472d4ce9032596e2f9f61738491c57066a5fc044dc8ef9ab657f5a536f

memory/2332-207-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2332-209-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1728-208-0x00000000023D0000-0x00000000024F3000-memory.dmp

memory/2580-206-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1728-210-0x0000000002500000-0x0000000002608000-memory.dmp

memory/1728-211-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2332-212-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-214-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1728-215-0x0000000002500000-0x0000000002608000-memory.dmp

memory/1728-218-0x0000000002500000-0x0000000002608000-memory.dmp

memory/1728-220-0x0000000002500000-0x0000000002608000-memory.dmp

memory/2332-224-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2332-226-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2332-227-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-228-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2332-232-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\jibicac

MD5 8f1ef200b8af9e31236a1637ec7b07e4
SHA1 af7b92e815e4bb1904ca4b29b5df127f868c4b6f
SHA256 deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
SHA512 787a0b59b000e49092f3e81121b7fc501e347b5935208f8853e4ecb5ca474c0cb2977d9f5766bdc1b0eb55fc799cd8cb8824745c2e6d10863a21e079d10b67ff

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\jibicac

MD5 8f1ef200b8af9e31236a1637ec7b07e4
SHA1 af7b92e815e4bb1904ca4b29b5df127f868c4b6f
SHA256 deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
SHA512 787a0b59b000e49092f3e81121b7fc501e347b5935208f8853e4ecb5ca474c0cb2977d9f5766bdc1b0eb55fc799cd8cb8824745c2e6d10863a21e079d10b67ff

memory/2396-238-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2396-239-0x0000000000400000-0x00000000005B0000-memory.dmp

\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2332-247-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1904-251-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1360-250-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/1360-253-0x0000000002320000-0x0000000002371000-memory.dmp

memory/2512-256-0x0000000004B10000-0x0000000004B50000-memory.dmp

memory/2600-255-0x0000000005A80000-0x0000000005AC0000-memory.dmp

memory/2332-267-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\df591f62-dfec-494e-a29b-2615fa6a4b6d\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2332-269-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1276-272-0x0000000002C60000-0x0000000002C76000-memory.dmp

memory/2580-271-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2396-274-0x0000000000400000-0x00000000005B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B95.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/472-277-0x00000000048F0000-0x0000000004CE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 17:18

Reported

2023-10-15 17:21

Platform

win10v2004-20230915-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\45BF.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\45BF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\45BF.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\432E.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4D72.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9192be61-fe87-4d49-82c8-2ac9d1ee2d71\\432E.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\432E.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\45BF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45BF.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\51C9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vrfwfde N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\51C9.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\51C9.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vrfwfde N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vrfwfde N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51C9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vrfwfde N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\45BF.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\57D4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 3172 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 3172 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 3172 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\45BF.exe
PID 3172 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\45BF.exe
PID 3172 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\45BF.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Users\Admin\AppData\Local\Temp\432E.exe
PID 3172 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Temp\4737.exe
PID 3172 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Temp\4737.exe
PID 3172 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Temp\4737.exe
PID 3172 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D72.exe
PID 3172 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D72.exe
PID 3172 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D72.exe
PID 2516 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\4737.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3172 wrote to memory of 4988 N/A N/A C:\Users\Admin\AppData\Local\Temp\51C9.exe
PID 3172 wrote to memory of 4988 N/A N/A C:\Users\Admin\AppData\Local\Temp\51C9.exe
PID 3172 wrote to memory of 4988 N/A N/A C:\Users\Admin\AppData\Local\Temp\51C9.exe
PID 3172 wrote to memory of 1084 N/A N/A C:\Users\Admin\AppData\Local\Temp\57D4.exe
PID 3172 wrote to memory of 1084 N/A N/A C:\Users\Admin\AppData\Local\Temp\57D4.exe
PID 3172 wrote to memory of 1084 N/A N/A C:\Users\Admin\AppData\Local\Temp\57D4.exe
PID 3172 wrote to memory of 3124 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3172 wrote to memory of 3124 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3124 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3124 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3124 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2784 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\4D72.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2784 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\4D72.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2784 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\4D72.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3172 wrote to memory of 4184 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B10.exe
PID 3172 wrote to memory of 4184 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B10.exe
PID 564 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 564 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 564 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3172 wrote to memory of 212 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 212 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 212 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 212 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2744 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Windows\SysWOW64\icacls.exe
PID 2744 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\432E.exe C:\Windows\SysWOW64\icacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\432E.exe

C:\Users\Admin\AppData\Local\Temp\432E.exe

C:\Users\Admin\AppData\Local\Temp\45BF.exe

C:\Users\Admin\AppData\Local\Temp\45BF.exe

C:\Users\Admin\AppData\Local\Temp\432E.exe

C:\Users\Admin\AppData\Local\Temp\432E.exe

C:\Users\Admin\AppData\Local\Temp\4737.exe

C:\Users\Admin\AppData\Local\Temp\4737.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\4D72.exe

C:\Users\Admin\AppData\Local\Temp\4D72.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2516 -ip 2516

C:\Users\Admin\AppData\Local\Temp\51C9.exe

C:\Users\Admin\AppData\Local\Temp\51C9.exe

C:\Users\Admin\AppData\Local\Temp\57D4.exe

C:\Users\Admin\AppData\Local\Temp\57D4.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5A56.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 296

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\5A56.dll

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\6B10.exe

C:\Users\Admin\AppData\Local\Temp\6B10.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\9192be61-fe87-4d49-82c8-2ac9d1ee2d71" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\432E.exe

"C:\Users\Admin\AppData\Local\Temp\432E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\432E.exe

"C:\Users\Admin\AppData\Local\Temp\432E.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\vrfwfde

C:\Users\Admin\AppData\Roaming\vrfwfde

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\57D4.exe

"C:\Users\Admin\AppData\Local\Temp\57D4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 172.67.213.185:443 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 udp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
AR 181.170.86.159:80 wirtshauspost.at tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 159.86.170.181.in-addr.arpa udp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
US 8.8.8.8:53 udp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
US 8.8.8.8:53 udp
N/A 104.21.21.57:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
AR 181.170.86.159:80 wirtshauspost.at tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
AR 181.170.86.159:80 wirtshauspost.at tcp
AR 181.170.86.159:80 wirtshauspost.at tcp
US 8.8.8.8:53 83dac4bd-c0e9-4da5-a756-ce13937cbd14.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.thestatsfiles.ru udp
US 162.159.130.233:443 cdn.discordapp.com tcp
SG 74.125.24.127:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.24.125.74.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp

Files

memory/1144-1-0x0000000000620000-0x0000000000720000-memory.dmp

memory/1144-2-0x0000000000600000-0x000000000060B000-memory.dmp

memory/1144-3-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/3172-4-0x0000000003450000-0x0000000003466000-memory.dmp

memory/1144-5-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/1144-8-0x0000000000600000-0x000000000060B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\432E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\432E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\45BF.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/896-24-0x0000000004880000-0x0000000004914000-memory.dmp

memory/896-25-0x00000000049D0000-0x0000000004AEB000-memory.dmp

memory/2884-26-0x0000000000C70000-0x00000000013F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45BF.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/2744-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\432E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2744-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4737.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2744-34-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4737.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2884-36-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/2884-37-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/2884-38-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/2884-40-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/2884-39-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/2884-41-0x0000000077354000-0x0000000077356000-memory.dmp

memory/4288-49-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D72.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4D72.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2744-43-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\51C9.exe

MD5 b34a1347aeef34e39c2936e969c9f0d5
SHA1 7e30999d290921dad4811e8e2017be8c1d0e9abd
SHA256 23439192304985da6561b0d6f6ad4ece7a4eecf01ded84e9f73ac4ac6ab5cf9a
SHA512 295ab21837bb0ab3101e9810265a0ca9694737f455fee78158951d606862787ee2e170f0c7dbf200e6bb344c5ed90975568f22dc3f2d40b0413c1252fb2df3b1

C:\Users\Admin\AppData\Local\Temp\51C9.exe

MD5 b34a1347aeef34e39c2936e969c9f0d5
SHA1 7e30999d290921dad4811e8e2017be8c1d0e9abd
SHA256 23439192304985da6561b0d6f6ad4ece7a4eecf01ded84e9f73ac4ac6ab5cf9a
SHA512 295ab21837bb0ab3101e9810265a0ca9694737f455fee78158951d606862787ee2e170f0c7dbf200e6bb344c5ed90975568f22dc3f2d40b0413c1252fb2df3b1

memory/4988-58-0x00000000021B0000-0x00000000021BB000-memory.dmp

memory/4988-59-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/4988-57-0x0000000000640000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\57D4.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\57D4.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2884-66-0x0000000000C70000-0x00000000013F0000-memory.dmp

memory/1084-67-0x0000000004ED0000-0x00000000052CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\5A56.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/1084-73-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1084-74-0x00000000052D0000-0x0000000005BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A56.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2884-75-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/2884-77-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/4288-78-0x0000000073950000-0x0000000074100000-memory.dmp

memory/1128-80-0x0000000010000000-0x00000000101E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3172-85-0x0000000008C50000-0x0000000008C66000-memory.dmp

memory/4988-90-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/1128-89-0x0000000000370000-0x0000000000376000-memory.dmp

memory/2884-86-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/2884-92-0x0000000000C70000-0x00000000013F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6B10.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\6B10.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2884-84-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/2884-105-0x0000000006220000-0x00000000067C4000-memory.dmp

memory/2744-106-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2884-107-0x00000000762A0000-0x0000000076390000-memory.dmp

memory/2884-108-0x00000000762A0000-0x0000000076390000-memory.dmp

C:\Users\Admin\AppData\Local\9192be61-fe87-4d49-82c8-2ac9d1ee2d71\432E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/212-110-0x0000000001200000-0x000000000126B000-memory.dmp

memory/4504-111-0x0000000001290000-0x000000000129C000-memory.dmp

memory/4504-115-0x0000000001290000-0x000000000129C000-memory.dmp

memory/212-113-0x0000000001200000-0x000000000126B000-memory.dmp

memory/4288-114-0x0000000007CA0000-0x0000000007D32000-memory.dmp

memory/212-112-0x0000000001270000-0x00000000012E5000-memory.dmp

memory/2884-116-0x0000000005EB0000-0x0000000005F4C000-memory.dmp

memory/4288-138-0x0000000005750000-0x0000000005760000-memory.dmp

memory/212-139-0x0000000001200000-0x000000000126B000-memory.dmp

memory/4288-140-0x0000000007C40000-0x0000000007C4A000-memory.dmp

memory/1084-141-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4288-143-0x0000000008D80000-0x0000000009398000-memory.dmp

memory/1084-144-0x0000000004ED0000-0x00000000052CF000-memory.dmp

memory/4288-145-0x0000000007FA0000-0x00000000080AA000-memory.dmp

memory/4288-146-0x0000000007EB0000-0x0000000007EC2000-memory.dmp

memory/2744-148-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\432E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1084-147-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4288-151-0x0000000007F10000-0x0000000007F4C000-memory.dmp

memory/4288-157-0x0000000073950000-0x0000000074100000-memory.dmp

memory/4288-154-0x0000000007F50000-0x0000000007F9C000-memory.dmp

memory/5008-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1304-158-0x00000000047A5000-0x0000000004836000-memory.dmp

memory/5008-160-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\432E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/5008-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1084-163-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4288-164-0x0000000005750000-0x0000000005760000-memory.dmp

memory/2884-168-0x0000000005E80000-0x0000000005E9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\vrfwfde

MD5 8f1ef200b8af9e31236a1637ec7b07e4
SHA1 af7b92e815e4bb1904ca4b29b5df127f868c4b6f
SHA256 deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
SHA512 787a0b59b000e49092f3e81121b7fc501e347b5935208f8853e4ecb5ca474c0cb2977d9f5766bdc1b0eb55fc799cd8cb8824745c2e6d10863a21e079d10b67ff

C:\Users\Admin\AppData\Roaming\vrfwfde

MD5 8f1ef200b8af9e31236a1637ec7b07e4
SHA1 af7b92e815e4bb1904ca4b29b5df127f868c4b6f
SHA256 deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
SHA512 787a0b59b000e49092f3e81121b7fc501e347b5935208f8853e4ecb5ca474c0cb2977d9f5766bdc1b0eb55fc799cd8cb8824745c2e6d10863a21e079d10b67ff

memory/60-172-0x0000000073950000-0x0000000074100000-memory.dmp

memory/60-173-0x0000000003490000-0x00000000034A0000-memory.dmp

memory/60-174-0x0000000002FE0000-0x0000000003016000-memory.dmp

memory/1128-175-0x0000000002330000-0x0000000002453000-memory.dmp

memory/60-177-0x0000000003490000-0x00000000034A0000-memory.dmp

memory/1128-178-0x0000000002460000-0x0000000002568000-memory.dmp

memory/3544-179-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/3544-180-0x00000000006F0000-0x00000000006FB000-memory.dmp

memory/3544-184-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/1128-182-0x0000000002460000-0x0000000002568000-memory.dmp

memory/1128-186-0x0000000002460000-0x0000000002568000-memory.dmp

memory/2884-187-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-185-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-189-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-191-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-194-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/60-193-0x0000000005C00000-0x0000000006228000-memory.dmp

memory/2884-196-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-198-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-200-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-202-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-205-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/1128-204-0x0000000002460000-0x0000000002568000-memory.dmp

memory/2884-207-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-211-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/2884-209-0x0000000005E80000-0x0000000005E95000-memory.dmp

memory/5012-212-0x0000000000400000-0x000000000045A000-memory.dmp

memory/5012-213-0x0000000073950000-0x0000000074100000-memory.dmp

memory/60-214-0x0000000073950000-0x0000000074100000-memory.dmp

memory/2884-215-0x00000000060F0000-0x0000000006100000-memory.dmp

memory/60-217-0x0000000003490000-0x00000000034A0000-memory.dmp

memory/2884-219-0x00000000762A0000-0x0000000076390000-memory.dmp

C:\Users\Admin\AppData\Roaming\hifwfde

MD5 b34a1347aeef34e39c2936e969c9f0d5
SHA1 7e30999d290921dad4811e8e2017be8c1d0e9abd
SHA256 23439192304985da6561b0d6f6ad4ece7a4eecf01ded84e9f73ac4ac6ab5cf9a
SHA512 295ab21837bb0ab3101e9810265a0ca9694737f455fee78158951d606862787ee2e170f0c7dbf200e6bb344c5ed90975568f22dc3f2d40b0413c1252fb2df3b1

memory/60-223-0x0000000005B60000-0x0000000005B82000-memory.dmp

memory/1084-226-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdbdcuav.eul.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3172-240-0x0000000003360000-0x0000000003376000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 f57bf6e78035d7f9150292a466c1a82d
SHA1 58cce014a5e6a6c6d08f77b1de4ce48e31bc4331
SHA256 25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415
SHA512 fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

C:\Users\Admin\AppData\Local\Temp\57D4.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8d805f846c727301b04658dbd79e3902
SHA1 6a2027a89818f89f2c0dbfa6e1c3f7ac72e08caf
SHA256 92ceca2004bbd4f028a2fa3d99f3e1329d756b4132bd98e8ee3feba2b7d26cd2
SHA512 5de63aabdea5df18e60b4f2e6f74b9d74367ab45a99e8523c32dfca6419647ef8c37f3d36fc0a655759d0aad61df3943a76257527b8476df297335aa95c2ac28

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 045ca435f63438d606421725a17facdb
SHA1 e0f9b9c6777f8c19acd9d8f20b8aa2afd8107ecf
SHA256 643785b4328f454b6dc52ae13ef9ebe98fc30c8c93d40dad67fb7f70fc6dbfd8
SHA512 42e95af4dd29c73f8f4e4c4e8cb9666805c8e926ba849a8f315a09e85b5359ec3c330bdb40775923ec5439c4258ceac209bfecd14a19581ee9ec02e94c9c0fe1

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 73f4943cf1a32c9377518bea3517ea64
SHA1 b2a0c9e3e6470071065c57e8ab179ad391109ba5
SHA256 8ed847644066de0755cae2675c2cac7ab81a8a8020e2864d000ed198f29cdd53
SHA512 da996a32545678db6abec7d8cd43e09ca1fe29f4d74ff7dc3f9782b3d06e895e1f026c3a4d4d387beec361bf345c794a51c5cddb6bf2436defb8d32a2b87d608

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8633730c7c9cdd5c44bb129069bff054
SHA1 a2b597040b7d2754ce0e11b22437cb2674458f49
SHA256 0dcbfc8c19392d6529302d032509c63204348880f678d0ebfe76cd2b6eb8a500
SHA512 49229abd4d3cce447a3eb9ce36f930171b07d0bf62949965cded20432c737c67c638a04501ad8a08d80bc59532076f5213b345fab7a2c20e028d3d52e4f57395

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 781996e6be7d4676a65493fa80c9141d
SHA1 fcf3b8f14642d9fcaf4abc3735c145953ffb92bd
SHA256 8cfac914c80dbef31b40ff77f1b1635c5d50bcb673d6ac0fee67cca24d6194be
SHA512 a574d17e42f31f2c1e6103826c18608abd00ebae8ff333480eb9d575dd13d97207108d05a298ada50dffcf117923ead01031935e3a1916db2faf3520b220e48c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec