Malware Analysis Report

2025-01-18 05:34

Sample ID 231015-zzgs4acc67
Target file
SHA256 38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 rootkit spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38120bdca03441433ad915b13323b20ac07059e50af9fd909d31a33f1d8396b2

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 rootkit spyware upx

RedLine

Amadey

SmokeLoader

Glupteba payload

Detected Djvu ransomware

RedLine payload

Glupteba

Djvu Ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Checks BIOS information in registry

UPX packed file

Modifies file permissions

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Themida packer

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 21:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 21:09

Reported

2023-10-15 21:14

Platform

win7-20230831-en

Max time kernel

265s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EC43.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EC43.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EC43.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\622e97f3-8cbd-4fc9-a368-969aedcc0caf\\E7EF.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E7EF.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\EC43.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC43.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2536 set thread context of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2948 set thread context of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EED4.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EC43.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 1208 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 1208 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 1208 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 2536 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 1208 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC43.exe
PID 1208 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC43.exe
PID 1208 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC43.exe
PID 1208 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC43.exe
PID 1208 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe
PID 1208 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe
PID 1208 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe
PID 1208 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe
PID 1208 wrote to memory of 2412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2412 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\FEBD.exe
PID 1208 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\FEBD.exe
PID 1208 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\FEBD.exe
PID 1208 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\FEBD.exe
PID 2412 wrote to memory of 684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2412 wrote to memory of 684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1208 wrote to memory of 576 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DF1.exe
PID 1208 wrote to memory of 576 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DF1.exe
PID 1208 wrote to memory of 576 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DF1.exe
PID 1208 wrote to memory of 576 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DF1.exe
PID 1208 wrote to memory of 1200 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 1200 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 1200 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 1200 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 1200 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 2020 N/A N/A C:\Windows\explorer.exe
PID 1208 wrote to memory of 2020 N/A N/A C:\Windows\explorer.exe
PID 1208 wrote to memory of 2020 N/A N/A C:\Windows\explorer.exe
PID 1208 wrote to memory of 2020 N/A N/A C:\Windows\explorer.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\EED4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

C:\Users\Admin\AppData\Local\Temp\EC43.exe

C:\Users\Admin\AppData\Local\Temp\EC43.exe

C:\Users\Admin\AppData\Local\Temp\EED4.exe

C:\Users\Admin\AppData\Local\Temp\EED4.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F6EF.dll

C:\Users\Admin\AppData\Local\Temp\FEBD.exe

C:\Users\Admin\AppData\Local\Temp\FEBD.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F6EF.dll

C:\Users\Admin\AppData\Local\Temp\1DF1.exe

C:\Users\Admin\AppData\Local\Temp\1DF1.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 72

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\622e97f3-8cbd-4fc9-a368-969aedcc0caf" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
FR 146.59.161.13:39199 tcp

Files

memory/2648-1-0x0000000000670000-0x0000000000770000-memory.dmp

memory/2648-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2648-3-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/2648-4-0x0000000000670000-0x0000000000770000-memory.dmp

memory/2648-5-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/2648-6-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2648-7-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/1208-8-0x00000000021E0000-0x00000000021F6000-memory.dmp

memory/2648-9-0x0000000000400000-0x00000000005B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2536-24-0x0000000000300000-0x0000000000391000-memory.dmp

memory/2536-25-0x0000000000300000-0x0000000000391000-memory.dmp

memory/2536-28-0x0000000004550000-0x000000000466B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2008-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2008-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\EC43.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/2484-38-0x0000000001030000-0x00000000017B0000-memory.dmp

memory/2008-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2484-40-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-41-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EED4.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2484-49-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-50-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EED4.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2484-43-0x0000000075E40000-0x0000000075E87000-memory.dmp

memory/2484-51-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-53-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-55-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-56-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-57-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-58-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-59-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-62-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F6EF.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2484-65-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-63-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-60-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-66-0x0000000075E40000-0x0000000075E87000-memory.dmp

memory/2484-67-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-68-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-70-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-69-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-72-0x0000000077660000-0x0000000077662000-memory.dmp

memory/2484-71-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2008-73-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FEBD.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\FEBD.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/576-89-0x00000000048F0000-0x0000000004CE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1DF1.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\1DF1.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2484-91-0x0000000001030000-0x00000000017B0000-memory.dmp

memory/2484-93-0x0000000075E40000-0x0000000075E87000-memory.dmp

memory/2484-92-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-95-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-94-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-96-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-97-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-99-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-98-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-101-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-100-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-109-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-108-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-107-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-106-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-105-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-104-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-103-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-102-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/2484-110-0x0000000076BD0000-0x0000000076CE0000-memory.dmp

memory/576-111-0x00000000048F0000-0x0000000004CE8000-memory.dmp

memory/576-112-0x0000000004CF0000-0x00000000055DB000-memory.dmp

memory/576-113-0x0000000000400000-0x0000000002FB8000-memory.dmp

\Users\Admin\AppData\Local\Temp\F6EF.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2020-117-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2020-119-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2020-118-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2816-121-0x0000000000400000-0x000000000043E000-memory.dmp

memory/684-123-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2816-122-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2816-124-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2484-127-0x0000000001030000-0x00000000017B0000-memory.dmp

memory/2816-130-0x0000000000400000-0x000000000043E000-memory.dmp

memory/684-129-0x0000000000140000-0x0000000000146000-memory.dmp

memory/2816-128-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2816-126-0x0000000000400000-0x000000000043E000-memory.dmp

memory/576-120-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2816-139-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2816-132-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\EED4.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\EED4.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\EED4.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/1200-143-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1200-156-0x0000000000080000-0x00000000000EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2484-164-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/576-168-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2484-176-0x0000000000CC0000-0x0000000000D00000-memory.dmp

memory/2816-177-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/2816-180-0x0000000000D50000-0x0000000000D90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1DF1.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/684-186-0x00000000024F0000-0x0000000002613000-memory.dmp

memory/684-187-0x0000000000E00000-0x0000000000F08000-memory.dmp

memory/684-188-0x0000000000E00000-0x0000000000F08000-memory.dmp

memory/684-190-0x0000000000E00000-0x0000000000F08000-memory.dmp

memory/684-191-0x0000000000E00000-0x0000000000F08000-memory.dmp

\Users\Admin\AppData\Local\Temp\EED4.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\622e97f3-8cbd-4fc9-a368-969aedcc0caf\E7EF.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2008-213-0x0000000000400000-0x0000000000537000-memory.dmp

memory/576-215-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2484-217-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2484-220-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2484-218-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2484-224-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2484-222-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2484-228-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2484-226-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2484-230-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2484-234-0x0000000000680000-0x0000000000695000-memory.dmp

memory/2484-232-0x0000000000680000-0x0000000000695000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 21:09

Reported

2023-10-15 21:12

Platform

win10v2004-20230915-en

Max time kernel

158s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4756.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4756.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4756.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5524.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4476.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a9d76563-cc3e-4975-a6e2-9b3f64e69fc8\\4476.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\4476.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4756.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4756.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\6022.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5813.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5813.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5813.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5813.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4756.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6022.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 3096 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 3096 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 3096 wrote to memory of 4508 N/A N/A C:\Users\Admin\AppData\Local\Temp\4756.exe
PID 3096 wrote to memory of 4508 N/A N/A C:\Users\Admin\AppData\Local\Temp\4756.exe
PID 3096 wrote to memory of 4508 N/A N/A C:\Users\Admin\AppData\Local\Temp\4756.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 400 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 3096 wrote to memory of 1356 N/A N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe
PID 3096 wrote to memory of 1356 N/A N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe
PID 3096 wrote to memory of 1356 N/A N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe
PID 3096 wrote to memory of 868 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3096 wrote to memory of 868 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1356 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1356 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1356 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1356 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1356 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1356 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1356 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1356 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\48DD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 868 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 868 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 868 wrote to memory of 1420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3096 wrote to memory of 5104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5524.exe
PID 3096 wrote to memory of 5104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5524.exe
PID 3096 wrote to memory of 5104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5524.exe
PID 3096 wrote to memory of 1260 N/A N/A C:\Users\Admin\AppData\Local\Temp\5813.exe
PID 3096 wrote to memory of 1260 N/A N/A C:\Users\Admin\AppData\Local\Temp\5813.exe
PID 3096 wrote to memory of 1260 N/A N/A C:\Users\Admin\AppData\Local\Temp\5813.exe
PID 3096 wrote to memory of 4284 N/A N/A C:\Users\Admin\AppData\Local\Temp\6022.exe
PID 3096 wrote to memory of 4284 N/A N/A C:\Users\Admin\AppData\Local\Temp\6022.exe
PID 3096 wrote to memory of 4284 N/A N/A C:\Users\Admin\AppData\Local\Temp\6022.exe
PID 3096 wrote to memory of 1332 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1332 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1332 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1332 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1120 N/A N/A C:\Windows\explorer.exe
PID 3096 wrote to memory of 1120 N/A N/A C:\Windows\explorer.exe
PID 3096 wrote to memory of 1120 N/A N/A C:\Windows\explorer.exe
PID 5104 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\5524.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 5104 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\5524.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 5104 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\5524.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2256 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Windows\SysWOW64\icacls.exe
PID 3012 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Windows\SysWOW64\icacls.exe
PID 3012 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Windows\SysWOW64\icacls.exe
PID 3012 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 3012 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 3012 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\4476.exe C:\Users\Admin\AppData\Local\Temp\4476.exe
PID 932 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\4476.exe

C:\Users\Admin\AppData\Local\Temp\4476.exe

C:\Users\Admin\AppData\Local\Temp\4756.exe

C:\Users\Admin\AppData\Local\Temp\4756.exe

C:\Users\Admin\AppData\Local\Temp\4476.exe

C:\Users\Admin\AppData\Local\Temp\4476.exe

C:\Users\Admin\AppData\Local\Temp\48DD.exe

C:\Users\Admin\AppData\Local\Temp\48DD.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4C49.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1356 -ip 1356

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\4C49.dll

C:\Users\Admin\AppData\Local\Temp\5524.exe

C:\Users\Admin\AppData\Local\Temp\5524.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 152

C:\Users\Admin\AppData\Local\Temp\5813.exe

C:\Users\Admin\AppData\Local\Temp\5813.exe

C:\Users\Admin\AppData\Local\Temp\6022.exe

C:\Users\Admin\AppData\Local\Temp\6022.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a9d76563-cc3e-4975-a6e2-9b3f64e69fc8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\4476.exe

"C:\Users\Admin\AppData\Local\Temp\4476.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\4476.exe

"C:\Users\Admin\AppData\Local\Temp\4476.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 568

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\6022.exe

"C:\Users\Admin\AppData\Local\Temp\6022.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 wirtshauspost.at udp
KR 123.140.161.243:80 wirtshauspost.at tcp
FR 146.59.161.13:39199 tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 8.8.8.8:53 243.161.140.123.in-addr.arpa udp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
RU 31.41.244.27:41140 tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 8.8.8.8:53 edc335eb-0fff-4b46-94a7-bcb780c9ab76.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 server16.thestatsfiles.ru udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.204.127:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp

Files

memory/3688-1-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/3688-2-0x0000000002300000-0x000000000230B000-memory.dmp

memory/3688-3-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/3688-4-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/3096-5-0x0000000000E20000-0x0000000000E36000-memory.dmp

memory/3688-6-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/3688-9-0x0000000002300000-0x000000000230B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4476.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\4476.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/400-22-0x0000000004880000-0x0000000004913000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4756.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

C:\Users\Admin\AppData\Local\Temp\4756.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/4508-27-0x0000000000060000-0x00000000007E0000-memory.dmp

memory/400-29-0x0000000004970000-0x0000000004A8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48DD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\4476.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3012-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3012-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4508-35-0x0000000077280000-0x0000000077370000-memory.dmp

memory/3012-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4508-37-0x0000000077280000-0x0000000077370000-memory.dmp

memory/4508-41-0x0000000077280000-0x0000000077370000-memory.dmp

memory/4508-39-0x0000000077280000-0x0000000077370000-memory.dmp

memory/4508-43-0x0000000077280000-0x0000000077370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48DD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/4508-34-0x0000000077280000-0x0000000077370000-memory.dmp

memory/4508-44-0x0000000077C14000-0x0000000077C16000-memory.dmp

memory/3012-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/984-46-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C49.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Local\Temp\5524.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\5524.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4C49.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Local\Temp\5813.exe

MD5 d7da66b6f848a13cd52397965be52522
SHA1 55baeaa819a1cfef7ba3f34907bcd9b63ab35f61
SHA256 3aef85f4298b4a7b699a802ee95bf2affac8081258ed707c2baf4395e46a95de
SHA512 82eac7b8c157dfd24f0e53f92a4575ab5be9371c70e412ad9e84e99f3c9caa9e58e300afb26a3f4971e187bf9bfd61d750ee5d2c487efdfcb63d535a079efa64

C:\Users\Admin\AppData\Local\Temp\5813.exe

MD5 d7da66b6f848a13cd52397965be52522
SHA1 55baeaa819a1cfef7ba3f34907bcd9b63ab35f61
SHA256 3aef85f4298b4a7b699a802ee95bf2affac8081258ed707c2baf4395e46a95de
SHA512 82eac7b8c157dfd24f0e53f92a4575ab5be9371c70e412ad9e84e99f3c9caa9e58e300afb26a3f4971e187bf9bfd61d750ee5d2c487efdfcb63d535a079efa64

memory/1260-62-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1260-63-0x0000000000730000-0x000000000073B000-memory.dmp

memory/1260-64-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/1420-65-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/4508-68-0x0000000000060000-0x00000000007E0000-memory.dmp

memory/1420-69-0x0000000002360000-0x0000000002366000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6022.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\6022.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4508-75-0x0000000077280000-0x0000000077370000-memory.dmp

memory/4508-76-0x0000000077280000-0x0000000077370000-memory.dmp

memory/1332-78-0x0000000000C40000-0x0000000000CAB000-memory.dmp

memory/4508-79-0x0000000077280000-0x0000000077370000-memory.dmp

memory/4508-77-0x0000000077280000-0x0000000077370000-memory.dmp

memory/4508-80-0x0000000077280000-0x0000000077370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4508-81-0x0000000077280000-0x0000000077370000-memory.dmp

memory/1120-84-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/1120-92-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/1332-91-0x0000000000C40000-0x0000000000CAB000-memory.dmp

memory/1332-102-0x0000000001100000-0x0000000001180000-memory.dmp

memory/984-87-0x00000000739F0000-0x00000000741A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4284-115-0x0000000004C40000-0x000000000503C000-memory.dmp

memory/4284-119-0x0000000005140000-0x0000000005A2B000-memory.dmp

memory/4508-118-0x0000000000060000-0x00000000007E0000-memory.dmp

memory/4284-121-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\a9d76563-cc3e-4975-a6e2-9b3f64e69fc8\4476.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1260-132-0x0000000000400000-0x00000000005B2000-memory.dmp

memory/1332-131-0x0000000000C40000-0x0000000000CAB000-memory.dmp

memory/3096-123-0x0000000002C00000-0x0000000002C16000-memory.dmp

memory/4508-122-0x00000000060C0000-0x0000000006664000-memory.dmp

memory/984-137-0x0000000007940000-0x00000000079D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4476.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3012-138-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2964-143-0x00000000048F0000-0x0000000004983000-memory.dmp

memory/4508-145-0x0000000005C70000-0x0000000005D0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4476.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/4852-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4852-148-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4852-150-0x0000000000400000-0x0000000000537000-memory.dmp

memory/984-151-0x00000000739F0000-0x00000000741A0000-memory.dmp

memory/1120-154-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/4284-155-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4284-157-0x0000000004C40000-0x000000000503C000-memory.dmp

memory/1420-156-0x00000000027A0000-0x00000000028C3000-memory.dmp

memory/1420-158-0x00000000028D0000-0x00000000029D8000-memory.dmp

memory/4284-159-0x0000000005140000-0x0000000005A2B000-memory.dmp

memory/400-162-0x0000000002BD0000-0x0000000002C06000-memory.dmp

memory/1420-160-0x00000000028D0000-0x00000000029D8000-memory.dmp

memory/400-163-0x00000000739F0000-0x00000000741A0000-memory.dmp

memory/1420-165-0x00000000028D0000-0x00000000029D8000-memory.dmp

memory/400-164-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/984-166-0x0000000007B50000-0x0000000007B60000-memory.dmp

memory/400-168-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/4284-167-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/400-169-0x0000000005340000-0x0000000005968000-memory.dmp

memory/984-170-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

memory/1420-171-0x00000000028D0000-0x00000000029D8000-memory.dmp

memory/400-173-0x0000000005250000-0x0000000005272000-memory.dmp

memory/400-174-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/400-175-0x0000000005B50000-0x0000000005BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tw2xpvq0.2n2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/400-185-0x0000000005D00000-0x0000000006054000-memory.dmp

memory/984-186-0x0000000008AC0000-0x00000000090D8000-memory.dmp

memory/984-187-0x0000000007CB0000-0x0000000007DBA000-memory.dmp

memory/984-188-0x0000000007BE0000-0x0000000007BF2000-memory.dmp

memory/400-189-0x00000000061A0000-0x00000000061BE000-memory.dmp

memory/984-190-0x0000000007C40000-0x0000000007C7C000-memory.dmp

memory/400-191-0x00000000062D0000-0x000000000631C000-memory.dmp

memory/400-193-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\fvradic

MD5 d7da66b6f848a13cd52397965be52522
SHA1 55baeaa819a1cfef7ba3f34907bcd9b63ab35f61
SHA256 3aef85f4298b4a7b699a802ee95bf2affac8081258ed707c2baf4395e46a95de
SHA512 82eac7b8c157dfd24f0e53f92a4575ab5be9371c70e412ad9e84e99f3c9caa9e58e300afb26a3f4971e187bf9bfd61d750ee5d2c487efdfcb63d535a079efa64

memory/400-197-0x00000000739F0000-0x00000000741A0000-memory.dmp

memory/400-198-0x0000000006820000-0x0000000006864000-memory.dmp

memory/4508-202-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-203-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-211-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-209-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-219-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-217-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-215-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-213-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-225-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-223-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-221-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-207-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4508-205-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4300-227-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4284-237-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4284-257-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 4fd6b3a467056385abd8ed1f85da0fa2
SHA1 4c42cd69ac787622af8b0748cb72b76911f9ff76
SHA256 5e9fcb024a6b188bad3226ea736d4b95df2a5cc6b493e0fab951c5bc051fbfec
SHA512 525067ffa8c9ef372255eaf264114971590a64cd06302e33ef89d5465eded3a1579b8b79efa1b445e593fa2cd907ed3394b4f1193c0ed63157ed5f06d4889289

C:\Users\Admin\AppData\Local\Temp\6022.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1c5dc028cb66bb1efb033271ef381650
SHA1 bcdacaeec6c0c3a7a4b20ca40a90ac9dd10c1594
SHA256 8e6503389dbe936e19455a58dff19e2047590661f728a6c32350d7814b29677f
SHA512 9753158940e1bfc1d79bace79daaa83572a180b06b37333615b469326b0b8df8d9ab5436cb40d769dfc446b518a135227be36da6c80758daef61aefe36f9886e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dbe2c118cca811988c92d132fdcc515b
SHA1 478ace5da2cacba7c02880e35536a30594a12a49
SHA256 065fddf49e70432670feb995f0e4d9e4e2705631b5e0ddddb9ba956d0822228b
SHA512 845f7172048f999b1d2e6c1a4daee560f43b93c629c1add6ca921334aa0a5320d42efe96d01adc03c719af13daa9d669dbac521f589e518faaae35263c32b081

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 da270e2edd496a1f0279772fe7eeae4a
SHA1 99a172853682d3de7f3d37ef016fa5a16e5afe6c
SHA256 e3155d74459d03cae9d05dc8c49e6873f5c8465f845dbc1bfb79f7133877cc09
SHA512 c064916c2e6b14a21d0bdf7e6623ad4620fd28b4dc541637ce9ae595f0a76efcce2e3b57fbff8bb87662eeb2baf0efcce663d37386f977762fbe3c4d79b3a0d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3fd6beaadec86baa1f9e030103aeed8b
SHA1 bbf38174ac87c97267c1aa6e3471bef0ebc809b7
SHA256 50570a313559cb94d75a15af3de8b7020960d511eef4d3a725853947553d3057
SHA512 4177cfc35d7e26ea5a462e3933fe62484dc9c20f3c3dc2bdf5efa9c470a37c8a409cfd58b52fb550e61cb3bbc221d77410fc8e0705e5b6eef7f294cc17100862

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c616c812f307daabad905082f065b480
SHA1 d389b4d6a5408f9386ea252406c480e82a992bbf
SHA256 1008d1a6d61038ce2bde434c7012c021b022fa5e72b5cd9762c2d26934a26c6b
SHA512 1f5c81f976b5793360f06ee485fe003f3872047cdaa287fad19fbdae9abad96ca8f215e77b3342a906923ae581af8461615d9c02455cadb009d38a66e854ee1e

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec