Malware Analysis Report

2025-01-18 05:35

Sample ID 231015-z8vrbacc86
Target 38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2
SHA256 38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2

Threat Level: Known bad

The file 38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan upx

RedLine payload

Glupteba payload

SmokeLoader

RedLine

Glupteba

Djvu Ransomware

Detected Djvu ransomware

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Modifies file permissions

Themida packer

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 21:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 21:23

Reported

2023-10-15 21:26

Platform

win10v2004-20230915-en

Max time kernel

118s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4E1C.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4E1C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4E1C.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4B0E.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d169d4e9-a106-460b-b4d0-f411e7113860\\4B0E.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\4B0E.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4E1C.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4E1C.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\6581.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\6581.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5DB0.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5DB0.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5DB0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\6581.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5DB0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4E1C.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6581.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 3160 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 3160 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 3160 wrote to memory of 4916 N/A N/A C:\Users\Admin\AppData\Local\Temp\4E1C.exe
PID 3160 wrote to memory of 4916 N/A N/A C:\Users\Admin\AppData\Local\Temp\4E1C.exe
PID 3160 wrote to memory of 4916 N/A N/A C:\Users\Admin\AppData\Local\Temp\4E1C.exe
PID 3160 wrote to memory of 1020 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe
PID 3160 wrote to memory of 1020 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe
PID 3160 wrote to memory of 1020 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 4228 wrote to memory of 968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4B0E.exe
PID 3160 wrote to memory of 1944 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3160 wrote to memory of 1944 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1944 wrote to memory of 3096 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 3096 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 3096 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3160 wrote to memory of 3084 N/A N/A C:\Users\Admin\AppData\Local\Temp\595A.exe
PID 3160 wrote to memory of 3084 N/A N/A C:\Users\Admin\AppData\Local\Temp\595A.exe
PID 3160 wrote to memory of 3084 N/A N/A C:\Users\Admin\AppData\Local\Temp\595A.exe
PID 1020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4F36.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3160 wrote to memory of 4224 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DB0.exe
PID 3160 wrote to memory of 4224 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DB0.exe
PID 3160 wrote to memory of 4224 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DB0.exe
PID 968 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4B0E.exe C:\Windows\SysWOW64\icacls.exe
PID 968 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4B0E.exe C:\Windows\SysWOW64\icacls.exe
PID 968 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\4B0E.exe C:\Windows\SysWOW64\icacls.exe
PID 3084 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\595A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3084 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\595A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3084 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\595A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3160 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\6581.exe
PID 3160 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\6581.exe
PID 3160 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\6581.exe
PID 3160 wrote to memory of 2692 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2692 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2692 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2692 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2556 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 2968 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 2968 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 2968 N/A N/A C:\Windows\explorer.exe
PID 4432 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2.exe

"C:\Users\Admin\AppData\Local\Temp\38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2.exe"

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

C:\Users\Admin\AppData\Local\Temp\4E1C.exe

C:\Users\Admin\AppData\Local\Temp\4E1C.exe

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

C:\Users\Admin\AppData\Local\Temp\4F36.exe

C:\Users\Admin\AppData\Local\Temp\4F36.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\52A2.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\52A2.dll

C:\Users\Admin\AppData\Local\Temp\595A.exe

C:\Users\Admin\AppData\Local\Temp\595A.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\5DB0.exe

C:\Users\Admin\AppData\Local\Temp\5DB0.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d169d4e9-a106-460b-b4d0-f411e7113860" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1020 -ip 1020

C:\Users\Admin\AppData\Local\Temp\6581.exe

C:\Users\Admin\AppData\Local\Temp\6581.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 144

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

"C:\Users\Admin\AppData\Local\Temp\4B0E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

"C:\Users\Admin\AppData\Local\Temp\4B0E.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3840 -ip 3840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\6581.exe

"C:\Users\Admin\AppData\Local\Temp\6581.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 126.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
US 8.8.8.8:53 udp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 175.119.10.231:80 wirtshauspost.at tcp
US 8.8.8.8:53 231.10.119.175.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
US 8.8.8.8:53 udp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
KR 175.119.10.231:80 wirtshauspost.at tcp
KR 175.119.10.231:80 wirtshauspost.at tcp
US 8.8.8.8:53 a59ff45e-b0c5-482f-ac7f-8a36c955d467.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server6.thestatsfiles.ru udp
US 162.159.130.233:443 cdn.discordapp.com tcp
IN 172.253.121.127:19302 stun1.l.google.com udp
BG 185.82.216.96:443 server6.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp

Files

memory/1824-1-0x0000000000700000-0x0000000000800000-memory.dmp

memory/1824-2-0x0000000000690000-0x000000000069B000-memory.dmp

memory/1824-3-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/3160-4-0x0000000003260000-0x0000000003276000-memory.dmp

memory/1824-5-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/1824-9-0x0000000000690000-0x000000000069B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\4E1C.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

C:\Users\Admin\AppData\Local\Temp\4E1C.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/4228-26-0x00000000049F0000-0x0000000004B0B000-memory.dmp

memory/4228-28-0x0000000004900000-0x0000000004997000-memory.dmp

memory/4916-25-0x0000000000300000-0x0000000000A80000-memory.dmp

memory/968-33-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\4F36.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/4916-34-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/968-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4916-38-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/4916-36-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/968-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4916-40-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/4916-41-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/968-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4916-46-0x0000000077294000-0x0000000077296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\52A2.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Local\Temp\4F36.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/4916-42-0x0000000076930000-0x0000000076A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\52A2.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Local\Temp\595A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\595A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3096-56-0x0000000002960000-0x0000000002966000-memory.dmp

memory/4540-59-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3096-57-0x0000000010000000-0x00000000101E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\5DB0.exe

MD5 d7da66b6f848a13cd52397965be52522
SHA1 55baeaa819a1cfef7ba3f34907bcd9b63ab35f61
SHA256 3aef85f4298b4a7b699a802ee95bf2affac8081258ed707c2baf4395e46a95de
SHA512 82eac7b8c157dfd24f0e53f92a4575ab5be9371c70e412ad9e84e99f3c9caa9e58e300afb26a3f4971e187bf9bfd61d750ee5d2c487efdfcb63d535a079efa64

C:\Users\Admin\AppData\Local\Temp\5DB0.exe

MD5 d7da66b6f848a13cd52397965be52522
SHA1 55baeaa819a1cfef7ba3f34907bcd9b63ab35f61
SHA256 3aef85f4298b4a7b699a802ee95bf2affac8081258ed707c2baf4395e46a95de
SHA512 82eac7b8c157dfd24f0e53f92a4575ab5be9371c70e412ad9e84e99f3c9caa9e58e300afb26a3f4971e187bf9bfd61d750ee5d2c487efdfcb63d535a079efa64

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4540-79-0x0000000072F70000-0x0000000073720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4916-82-0x0000000000300000-0x0000000000A80000-memory.dmp

memory/4916-85-0x0000000000300000-0x0000000000A80000-memory.dmp

memory/4916-84-0x0000000005A70000-0x0000000006014000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6581.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4224-89-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/4224-93-0x0000000000630000-0x0000000000730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6581.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4224-87-0x0000000000740000-0x000000000074B000-memory.dmp

memory/4916-94-0x00000000055A0000-0x0000000005632000-memory.dmp

memory/4916-95-0x00000000057E0000-0x000000000587C000-memory.dmp

memory/2692-96-0x0000000000A40000-0x0000000000AAB000-memory.dmp

memory/2692-97-0x0000000000AB0000-0x0000000000B25000-memory.dmp

memory/4916-99-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/2692-98-0x0000000000A40000-0x0000000000AAB000-memory.dmp

memory/4916-100-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/4916-101-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/2968-103-0x00000000004E0000-0x00000000004EC000-memory.dmp

memory/4916-104-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/2968-107-0x00000000004E0000-0x00000000004EC000-memory.dmp

memory/4916-108-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/968-111-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2968-105-0x00000000004F0000-0x00000000004F7000-memory.dmp

memory/4540-118-0x00000000071D0000-0x00000000071E0000-memory.dmp

memory/4540-131-0x00000000071B0000-0x00000000071BA000-memory.dmp

memory/4916-102-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/2992-132-0x0000000004C80000-0x0000000005087000-memory.dmp

memory/3160-134-0x0000000003350000-0x0000000003366000-memory.dmp

memory/4224-138-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/4540-140-0x0000000008100000-0x0000000008718000-memory.dmp

memory/2992-137-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2692-136-0x0000000000A40000-0x0000000000AAB000-memory.dmp

memory/4540-143-0x0000000007AE0000-0x0000000007BEA000-memory.dmp

memory/4540-145-0x0000000007290000-0x00000000072A2000-memory.dmp

memory/2992-144-0x0000000005090000-0x000000000597B000-memory.dmp

memory/4540-146-0x00000000072F0000-0x000000000732C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\d169d4e9-a106-460b-b4d0-f411e7113860\4B0E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/4540-149-0x0000000007350000-0x000000000739C000-memory.dmp

memory/4540-151-0x0000000072F70000-0x0000000073720000-memory.dmp

memory/968-150-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/744-155-0x0000000004730000-0x00000000047C6000-memory.dmp

memory/3840-160-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3840-159-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B0E.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3840-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2992-156-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4916-165-0x00000000057A0000-0x00000000057BC000-memory.dmp

memory/4916-167-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4916-166-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4916-169-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4916-172-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4540-173-0x0000000007BF0000-0x0000000007C56000-memory.dmp

memory/4916-175-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4916-177-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/3096-179-0x0000000002D10000-0x0000000002E33000-memory.dmp

memory/4916-180-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4916-182-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4916-184-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4916-186-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/3096-189-0x0000000002E40000-0x0000000002F48000-memory.dmp

memory/4916-188-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4916-191-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/4916-193-0x00000000057A0000-0x00000000057B5000-memory.dmp

memory/2992-196-0x0000000004C80000-0x0000000005087000-memory.dmp

memory/4540-197-0x00000000071D0000-0x00000000071E0000-memory.dmp

memory/1808-195-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3096-194-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/4916-200-0x0000000005950000-0x0000000005960000-memory.dmp

memory/2744-199-0x0000000005250000-0x0000000005286000-memory.dmp

memory/2744-201-0x0000000005370000-0x0000000005380000-memory.dmp

memory/4916-203-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/3096-205-0x0000000002E40000-0x0000000002F48000-memory.dmp

memory/1808-204-0x0000000072F70000-0x0000000073720000-memory.dmp

memory/2744-208-0x0000000072F70000-0x0000000073720000-memory.dmp

memory/3096-209-0x0000000002E40000-0x0000000002F48000-memory.dmp

memory/2744-210-0x00000000059B0000-0x0000000005FD8000-memory.dmp

memory/4916-207-0x0000000000300000-0x0000000000A80000-memory.dmp

memory/2992-211-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1808-213-0x0000000007620000-0x0000000007630000-memory.dmp

memory/2744-212-0x0000000005370000-0x0000000005380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frqn4d1y.zd5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3096-220-0x0000000002E40000-0x0000000002F48000-memory.dmp

C:\Users\Admin\AppData\Roaming\ubgibuc

MD5 d7da66b6f848a13cd52397965be52522
SHA1 55baeaa819a1cfef7ba3f34907bcd9b63ab35f61
SHA256 3aef85f4298b4a7b699a802ee95bf2affac8081258ed707c2baf4395e46a95de
SHA512 82eac7b8c157dfd24f0e53f92a4575ab5be9371c70e412ad9e84e99f3c9caa9e58e300afb26a3f4971e187bf9bfd61d750ee5d2c487efdfcb63d535a079efa64

memory/2992-239-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 f57bf6e78035d7f9150292a466c1a82d
SHA1 58cce014a5e6a6c6d08f77b1de4ce48e31bc4331
SHA256 25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415
SHA512 fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

memory/2992-268-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6581.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 150f31c03da600de065afb8e38a75795
SHA1 3f7fdc4d569d99bd6d74d06e37a8573b00f2778c
SHA256 425838545b3248a54b1aa59a400806895dc5fa7aac22134a998e0cd09a7eceb4
SHA512 a6089d326b1f8fd653b08f6530ea7f4b94e74a8d38d47031c803ae776f7338a56b9a2bfdfd484d944db5ae628c70c748f41feb7d7090c79f98aaf72df846a365

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f7885918f29104502141525364610948
SHA1 683cb896be9e987e827c72dc419e3ceff370163b
SHA256 a1fed91a6d2da38c996af04ef52201ae679667038651b13f60e54c4a400e1a10
SHA512 e01a91f8d0d137fe047467c0fc190f67a3d94a468860b89a6343429f7b3674d063dd256e4c621d2d66dc77a407b4b18fe99a71c44819af9bbd2fa26435ded97b

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f41f543b525e924a14eae652e89c71b9
SHA1 2c5e078e6e95e4ba93a495f1c94232f37472ea7b
SHA256 60df176f9b0b65b7a30cf8a7a9a237640f69dd64d285d05f2ce325ebf372bd01
SHA512 245ea5dc92e4a94d60c6c82ceb30ff8d3902c90f12dc98ed1efc5b6c9e1460218ba34c3987028f6e9e2cd7aae467d38f95d03cf8579d284bd4c11747c24f1096

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7298289ee2de7befa0c997bc2b852ad4
SHA1 36aaa539def8c0cee38fd853c4f6ac1cdc987c50
SHA256 07ded3835b97b5411b2547408aa492a160145fa596ae06f8bfdb11dccb9fff37
SHA512 c422d173a3e97e9da82d2ec1add9ea9ac652bc47c07c96345ac07944f7206e7c599eb0644e39694e18c047da5f1b4f42e286fdfaf38dad4494142b5790ce26e3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d85c9bdf97a6162ff23568db9e1b3889
SHA1 9865b6c204de0e0fc0cb9bb8e44285225bbcd2c5
SHA256 9757ec28dfddc355309ed3c2fd05cbfa535aa4dc754664b867f5c712df466f84
SHA512 9ec817e043d6ceb469a437f1830a11a5692e4d451b7207dfe1ee016b9398e070d551b427a294121dd785b5c17a3a167684fa48f40193b399d73afa4489eab84f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec