Malware Analysis Report

2025-01-18 05:50

Sample ID 231016-22ta1shg46
Target file.exe
SHA256 a8aa91182c9febb8db8f1758c1c796b73cfd6cf8494e809cd35d7fee2276802c
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8aa91182c9febb8db8f1758c1c796b73cfd6cf8494e809cd35d7fee2276802c

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 spyware upx

Detected Djvu ransomware

RedLine

Amadey

Glupteba

Glupteba payload

SmokeLoader

Djvu Ransomware

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Modifies file permissions

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Checks computer location settings

Executes dropped EXE

Deletes itself

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_office_path

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

outlook_win_path

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 23:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 23:05

Reported

2023-10-16 23:10

Platform

win7-20230831-en

Max time kernel

273s

Max time network

327s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\D319.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\D319.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\D319.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B89.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0110cdfe-08c9-40ef-9d33-da6e5606db52\\CF7F.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\CF7F.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\D319.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D319.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sderjji N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sderjji N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sderjji N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sderjji N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D319.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 2224 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 1236 wrote to memory of 2224 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 1236 wrote to memory of 2224 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 1236 wrote to memory of 2224 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 2224 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\CF7F.exe C:\Users\Admin\AppData\Local\Temp\CF7F.exe
PID 1236 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\Temp\D319.exe
PID 1236 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\Temp\D319.exe
PID 1236 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\Temp\D319.exe
PID 1236 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\Temp\D319.exe
PID 1236 wrote to memory of 2812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1236 wrote to memory of 2812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1236 wrote to memory of 2812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1236 wrote to memory of 2812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1236 wrote to memory of 2812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1236 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A3.exe
PID 1236 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A3.exe
PID 1236 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A3.exe
PID 1236 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A3.exe
PID 1236 wrote to memory of 1932 N/A N/A C:\Users\Admin\AppData\Local\Temp\B89.exe
PID 1236 wrote to memory of 1932 N/A N/A C:\Users\Admin\AppData\Local\Temp\B89.exe
PID 1236 wrote to memory of 1932 N/A N/A C:\Users\Admin\AppData\Local\Temp\B89.exe
PID 1236 wrote to memory of 1932 N/A N/A C:\Users\Admin\AppData\Local\Temp\B89.exe
PID 1236 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\129C.exe
PID 1236 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\129C.exe
PID 1236 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\129C.exe
PID 1236 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\129C.exe
PID 2812 wrote to memory of 1540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2812 wrote to memory of 1540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1380 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1236 wrote to memory of 1380 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1236 wrote to memory of 1380 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1236 wrote to memory of 1380 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1236 wrote to memory of 1380 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1932 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\B89.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1932 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\B89.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1932 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\B89.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1932 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\B89.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1236 wrote to memory of 1076 N/A N/A C:\Windows\explorer.exe
PID 1236 wrote to memory of 1076 N/A N/A C:\Windows\explorer.exe
PID 1236 wrote to memory of 1076 N/A N/A C:\Windows\explorer.exe
PID 1236 wrote to memory of 1076 N/A N/A C:\Windows\explorer.exe
PID 1204 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1204 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1204 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1204 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1204 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\CF7F.exe

C:\Users\Admin\AppData\Local\Temp\CF7F.exe

C:\Users\Admin\AppData\Local\Temp\CF7F.exe

C:\Users\Admin\AppData\Local\Temp\CF7F.exe

C:\Users\Admin\AppData\Local\Temp\D319.exe

C:\Users\Admin\AppData\Local\Temp\D319.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EF41.dll

C:\Users\Admin\AppData\Local\Temp\2A3.exe

C:\Users\Admin\AppData\Local\Temp\2A3.exe

C:\Users\Admin\AppData\Local\Temp\B89.exe

C:\Users\Admin\AppData\Local\Temp\B89.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EF41.dll

C:\Users\Admin\AppData\Local\Temp\129C.exe

C:\Users\Admin\AppData\Local\Temp\129C.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0110cdfe-08c9-40ef-9d33-da6e5606db52" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {1F65E9B5-57AA-439E-8D79-1135B1E771BC} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Roaming\sderjji

C:\Users\Admin\AppData\Roaming\sderjji

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016231034.log C:\Windows\Logs\CBS\CbsPersist_20231016231034.cab

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 31.41.244.27:41140 tcp
GB 145.239.200.147:30225 tcp

Files

memory/2628-1-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2628-2-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2628-3-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1236-4-0x0000000002A40000-0x0000000002A56000-memory.dmp

memory/2628-5-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF7F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\CF7F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2224-21-0x0000000001FC0000-0x0000000002052000-memory.dmp

memory/2224-22-0x0000000001FC0000-0x0000000002052000-memory.dmp

memory/2224-23-0x0000000002060000-0x000000000217B000-memory.dmp

\Users\Admin\AppData\Local\Temp\CF7F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\CF7F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2980-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF7F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2980-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2224-31-0x0000000001FC0000-0x0000000002052000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D319.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/1588-35-0x0000000000DB0000-0x0000000001558000-memory.dmp

memory/2980-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1588-37-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-38-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-39-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-40-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-42-0x0000000075970000-0x00000000759B7000-memory.dmp

memory/1588-43-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-44-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-46-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-48-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-49-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-50-0x0000000075860000-0x0000000075970000-memory.dmp

memory/2980-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1588-51-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-53-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-54-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-56-0x0000000077A40000-0x0000000077A42000-memory.dmp

memory/1588-55-0x0000000075860000-0x0000000075970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF41.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

C:\Users\Admin\AppData\Local\Temp\2A3.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\2A3.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\B89.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\B89.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1588-74-0x0000000000DB0000-0x0000000001558000-memory.dmp

memory/1588-75-0x0000000075970000-0x00000000759B7000-memory.dmp

memory/1588-76-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-77-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-78-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-79-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-80-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-81-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-82-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-83-0x0000000075860000-0x0000000075970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\129C.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2860-89-0x0000000004980000-0x0000000004D78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\129C.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

\Users\Admin\AppData\Local\Temp\EF41.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1540-97-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/1588-99-0x0000000000DB0000-0x0000000001558000-memory.dmp

memory/1380-100-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1076-101-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1588-117-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2860-119-0x0000000004D80000-0x000000000566B000-memory.dmp

memory/2860-120-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1540-122-0x0000000000190000-0x0000000000196000-memory.dmp

memory/1380-126-0x00000000000F0000-0x0000000000170000-memory.dmp

memory/1380-128-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1076-129-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1076-130-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2860-131-0x0000000004980000-0x0000000004D78000-memory.dmp

memory/1540-132-0x00000000022E0000-0x00000000023E8000-memory.dmp

memory/1540-139-0x00000000023F0000-0x00000000024E0000-memory.dmp

memory/1540-140-0x00000000023F0000-0x00000000024E0000-memory.dmp

memory/1540-142-0x00000000023F0000-0x00000000024E0000-memory.dmp

memory/1540-145-0x00000000023F0000-0x00000000024E0000-memory.dmp

memory/1076-146-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\0110cdfe-08c9-40ef-9d33-da6e5606db52\CF7F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\129C.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Roaming\sderjji

MD5 30712d0b7a5a46a3d8925f4c0786630e
SHA1 3a6b6c5da8dc4b1ef7c69c39e860b6504506dfbe
SHA256 a8aa91182c9febb8db8f1758c1c796b73cfd6cf8494e809cd35d7fee2276802c
SHA512 d2a1e540e2d7f1563b36741b75c12115433215799de750c7061f6cd62196f848c8f141eba548bccf64e95cb482a60f8be74a60710d81d646c48fa7801edc79f1

C:\Users\Admin\AppData\Roaming\sderjji

MD5 30712d0b7a5a46a3d8925f4c0786630e
SHA1 3a6b6c5da8dc4b1ef7c69c39e860b6504506dfbe
SHA256 a8aa91182c9febb8db8f1758c1c796b73cfd6cf8494e809cd35d7fee2276802c
SHA512 d2a1e540e2d7f1563b36741b75c12115433215799de750c7061f6cd62196f848c8f141eba548bccf64e95cb482a60f8be74a60710d81d646c48fa7801edc79f1

memory/2064-162-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2064-164-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2064-165-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2064-166-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2064-163-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2064-167-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2064-170-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2064-172-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1236-173-0x0000000002CC0000-0x0000000002CD6000-memory.dmp

memory/1776-176-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1776-177-0x00000000002F5000-0x0000000000308000-memory.dmp

memory/1588-178-0x00000000005E0000-0x00000000005FC000-memory.dmp

memory/1588-179-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-180-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-182-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-184-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-186-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-188-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-190-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-192-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-194-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-196-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-198-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-200-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/1588-202-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2732-203-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2732-204-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2732-214-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1588-216-0x0000000075860000-0x0000000075970000-memory.dmp

memory/1588-217-0x0000000075970000-0x00000000759B7000-memory.dmp

memory/1588-218-0x0000000000DB0000-0x0000000001558000-memory.dmp

memory/1588-219-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/1588-220-0x0000000000C75000-0x0000000000CAD000-memory.dmp

memory/2732-228-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2064-231-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2064-234-0x00000000071F0000-0x0000000007230000-memory.dmp

memory/2732-235-0x0000000007320000-0x0000000007360000-memory.dmp

memory/2860-237-0x0000000000400000-0x0000000002FB8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-16 23:05

Reported

2023-10-16 23:07

Platform

win10v2004-20230915-en

Max time kernel

102s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5A70.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5A70.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5A70.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\665A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5772.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\da80cd89-7f5c-457e-bc11-c0367a81eea9\\5772.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5772.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5A70.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5A70.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6AFF.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6AFF.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6AFF.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6AFF.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5A70.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\71A7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 3108 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 3108 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 3108 wrote to memory of 4220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5A70.exe
PID 3108 wrote to memory of 4220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5A70.exe
PID 3108 wrote to memory of 4220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5A70.exe
PID 3108 wrote to memory of 4704 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3108 wrote to memory of 4704 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3108 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F54.exe
PID 3108 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F54.exe
PID 3108 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F54.exe
PID 4704 wrote to memory of 4292 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4704 wrote to memory of 4292 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4704 wrote to memory of 4292 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1852 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 3108 wrote to memory of 3716 N/A N/A C:\Users\Admin\AppData\Local\Temp\665A.exe
PID 3108 wrote to memory of 3716 N/A N/A C:\Users\Admin\AppData\Local\Temp\665A.exe
PID 3108 wrote to memory of 3716 N/A N/A C:\Users\Admin\AppData\Local\Temp\665A.exe
PID 3108 wrote to memory of 1492 N/A N/A C:\Users\Admin\AppData\Local\Temp\6AFF.exe
PID 3108 wrote to memory of 1492 N/A N/A C:\Users\Admin\AppData\Local\Temp\6AFF.exe
PID 3108 wrote to memory of 1492 N/A N/A C:\Users\Admin\AppData\Local\Temp\6AFF.exe
PID 3108 wrote to memory of 4748 N/A N/A C:\Users\Admin\AppData\Local\Temp\71A7.exe
PID 3108 wrote to memory of 4748 N/A N/A C:\Users\Admin\AppData\Local\Temp\71A7.exe
PID 3108 wrote to memory of 4748 N/A N/A C:\Users\Admin\AppData\Local\Temp\71A7.exe
PID 3108 wrote to memory of 372 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3108 wrote to memory of 372 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3108 wrote to memory of 372 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3108 wrote to memory of 372 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3716 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\665A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3716 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\665A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3716 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\665A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3108 wrote to memory of 2100 N/A N/A C:\Windows\explorer.exe
PID 3108 wrote to memory of 2100 N/A N/A C:\Windows\explorer.exe
PID 3108 wrote to memory of 2100 N/A N/A C:\Windows\explorer.exe
PID 3304 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3304 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3304 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Windows\SysWOW64\icacls.exe
PID 1436 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Windows\SysWOW64\icacls.exe
PID 1436 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Windows\SysWOW64\icacls.exe
PID 1072 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1072 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1072 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1072 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1072 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1072 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1436 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1436 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe
PID 1436 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\5772.exe C:\Users\Admin\AppData\Local\Temp\5772.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\5772.exe

C:\Users\Admin\AppData\Local\Temp\5772.exe

C:\Users\Admin\AppData\Local\Temp\5A70.exe

C:\Users\Admin\AppData\Local\Temp\5A70.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5DCD.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\5DCD.dll

C:\Users\Admin\AppData\Local\Temp\5F54.exe

C:\Users\Admin\AppData\Local\Temp\5F54.exe

C:\Users\Admin\AppData\Local\Temp\5772.exe

C:\Users\Admin\AppData\Local\Temp\5772.exe

C:\Users\Admin\AppData\Local\Temp\665A.exe

C:\Users\Admin\AppData\Local\Temp\665A.exe

C:\Users\Admin\AppData\Local\Temp\6AFF.exe

C:\Users\Admin\AppData\Local\Temp\6AFF.exe

C:\Users\Admin\AppData\Local\Temp\71A7.exe

C:\Users\Admin\AppData\Local\Temp\71A7.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\da80cd89-7f5c-457e-bc11-c0367a81eea9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\5772.exe

"C:\Users\Admin\AppData\Local\Temp\5772.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\5772.exe

"C:\Users\Admin\AppData\Local\Temp\5772.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\71A7.exe

"C:\Users\Admin\AppData\Local\Temp\71A7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\512B.exe

C:\Users\Admin\AppData\Local\Temp\512B.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4464 -ip 4464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
AR 190.224.203.37:80 wirtshauspost.at tcp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
US 8.8.8.8:53 rummygoplay.in udp
IN 103.251.94.112:443 rummygoplay.in tcp
US 8.8.8.8:53 112.94.251.103.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
AR 190.224.203.37:80 wirtshauspost.at tcp
US 8.8.8.8:53 944830a3-3faa-47d8-836e-ec86deb3d621.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 server3.thestatsfiles.ru udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
SG 74.125.24.127:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.24.125.74.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp

Files

memory/3120-1-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/3120-2-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3120-3-0x00000000008B0000-0x00000000008BB000-memory.dmp

memory/3108-4-0x00000000030A0000-0x00000000030B6000-memory.dmp

memory/3120-5-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5772.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\5772.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\5A70.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\5A70.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/4220-22-0x0000000000F10000-0x00000000016B8000-memory.dmp

memory/4220-23-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4220-24-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4220-25-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4220-26-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4220-27-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4220-29-0x00000000766A0000-0x0000000076790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5DCD.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/4220-34-0x0000000077034000-0x0000000077036000-memory.dmp

memory/4220-31-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4220-30-0x00000000766A0000-0x0000000076790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F54.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\5F54.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\5DCD.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/4292-43-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/4292-42-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

memory/1436-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1436-50-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5772.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\665A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1436-55-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\665A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4220-56-0x0000000005770000-0x0000000005D14000-memory.dmp

memory/4220-47-0x0000000000F10000-0x00000000016B8000-memory.dmp

memory/1852-46-0x0000000002580000-0x000000000269B000-memory.dmp

memory/1852-44-0x00000000024E0000-0x000000000257D000-memory.dmp

memory/1436-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4220-60-0x0000000005260000-0x00000000052F2000-memory.dmp

memory/4220-61-0x00000000054A0000-0x000000000553C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6AFF.exe

MD5 d683bddf6815f3ae95c3e47f14427fed
SHA1 a74475a8be5e7a2640e7542adb20e669df275bc4
SHA256 2969629b1aa7d6eaf2be5327c3b2af4c209169a7b60c06855ee21a3ba5870f3e
SHA512 50364c620f6365e9379ea5e7a9de3c036d8cb8cb6e120644dd4ca3a9861354cb9412ba3b19ed3ad45958cb1f165b6688f668f2359bc1bb646d392f0774d6e591

C:\Users\Admin\AppData\Local\Temp\6AFF.exe

MD5 d683bddf6815f3ae95c3e47f14427fed
SHA1 a74475a8be5e7a2640e7542adb20e669df275bc4
SHA256 2969629b1aa7d6eaf2be5327c3b2af4c209169a7b60c06855ee21a3ba5870f3e
SHA512 50364c620f6365e9379ea5e7a9de3c036d8cb8cb6e120644dd4ca3a9861354cb9412ba3b19ed3ad45958cb1f165b6688f668f2359bc1bb646d392f0774d6e591

memory/4220-66-0x0000000005400000-0x000000000540A000-memory.dmp

memory/4292-69-0x0000000002C90000-0x0000000002D98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\71A7.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\71A7.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/372-81-0x0000000000140000-0x00000000001AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/372-82-0x0000000000400000-0x0000000000475000-memory.dmp

memory/372-83-0x0000000000140000-0x00000000001AB000-memory.dmp

memory/4220-86-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4220-87-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4292-100-0x0000000002DA0000-0x0000000002E90000-memory.dmp

memory/4220-108-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4292-115-0x0000000002DA0000-0x0000000002E90000-memory.dmp

memory/4220-101-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4220-96-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4292-119-0x0000000002DA0000-0x0000000002E90000-memory.dmp

memory/2100-92-0x00000000005F0000-0x00000000005FC000-memory.dmp

memory/4220-91-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4220-85-0x0000000000F10000-0x00000000016B8000-memory.dmp

memory/2100-84-0x00000000005F0000-0x00000000005FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4220-120-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4748-123-0x0000000004D70000-0x0000000005170000-memory.dmp

memory/4220-121-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4748-125-0x0000000005170000-0x0000000005A5B000-memory.dmp

memory/4748-133-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/372-134-0x0000000000140000-0x00000000001AB000-memory.dmp

memory/1436-136-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4292-135-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/1492-137-0x0000000000850000-0x000000000085B000-memory.dmp

memory/4292-139-0x0000000002DA0000-0x0000000002E90000-memory.dmp

memory/1492-138-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\da80cd89-7f5c-457e-bc11-c0367a81eea9\5772.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1492-140-0x0000000000960000-0x0000000000A60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5772.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1436-143-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4220-146-0x0000000005450000-0x000000000546C000-memory.dmp

memory/4220-147-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4220-148-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4220-150-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4220-152-0x0000000005450000-0x0000000005465000-memory.dmp

memory/3108-155-0x0000000002EC0000-0x0000000002ED6000-memory.dmp

memory/4220-154-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4220-158-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4220-163-0x0000000005450000-0x0000000005465000-memory.dmp

memory/1492-162-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4220-165-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4220-167-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4748-159-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4220-169-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4220-171-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4220-173-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4220-175-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4536-176-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4536-179-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/3932-184-0x00000000023A1000-0x0000000002433000-memory.dmp

memory/4940-185-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4220-186-0x0000000005680000-0x0000000005690000-memory.dmp

memory/4940-191-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4220-190-0x00000000766A0000-0x0000000076790000-memory.dmp

memory/4536-189-0x00000000076B0000-0x00000000076C0000-memory.dmp

memory/4220-192-0x0000000000F10000-0x00000000016B8000-memory.dmp

memory/4536-193-0x0000000008570000-0x0000000008B88000-memory.dmp

memory/4536-194-0x0000000007700000-0x0000000007712000-memory.dmp

memory/4536-195-0x0000000007830000-0x000000000793A000-memory.dmp

memory/4940-183-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5772.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/4536-196-0x0000000007760000-0x000000000779C000-memory.dmp

memory/4536-197-0x00000000077C0000-0x000000000780C000-memory.dmp

memory/4748-198-0x0000000004D70000-0x0000000005170000-memory.dmp

memory/4748-199-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4536-200-0x0000000008030000-0x0000000008096000-memory.dmp

memory/4748-201-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4536-204-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/4536-205-0x00000000076B0000-0x00000000076C0000-memory.dmp

memory/4536-206-0x0000000008F30000-0x0000000008FA6000-memory.dmp

memory/2084-207-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/2084-208-0x0000000004820000-0x0000000004830000-memory.dmp

memory/2084-209-0x0000000002590000-0x00000000025C6000-memory.dmp

memory/4748-210-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2084-211-0x0000000004820000-0x0000000004830000-memory.dmp

memory/2084-212-0x0000000004E60000-0x0000000005488000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqf1csyq.4t3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\jvwtgai

MD5 d683bddf6815f3ae95c3e47f14427fed
SHA1 a74475a8be5e7a2640e7542adb20e669df275bc4
SHA256 2969629b1aa7d6eaf2be5327c3b2af4c209169a7b60c06855ee21a3ba5870f3e
SHA512 50364c620f6365e9379ea5e7a9de3c036d8cb8cb6e120644dd4ca3a9861354cb9412ba3b19ed3ad45958cb1f165b6688f668f2359bc1bb646d392f0774d6e591

memory/4748-262-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\71A7.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4748-269-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4576-303-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Temp\512B.exe

MD5 607610e04c69c4745611af79dddf064a
SHA1 bb57da232ed752ebbbc60dc888f892d5fb197b49
SHA256 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345
SHA512 c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769

C:\Users\Admin\AppData\Local\Temp\512B.exe

MD5 607610e04c69c4745611af79dddf064a
SHA1 bb57da232ed752ebbbc60dc888f892d5fb197b49
SHA256 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345
SHA512 c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 131cac8378197150e6787b57ea20ff72
SHA1 11e11468d0b4b7ce154046e5064ef5571245029c
SHA256 2c6d7eac7de85070e2084f2c5e1fc561eda605f2a5e68132b4920fc76fd9c3e7
SHA512 8d127bea8415fa9da1724627698b44cfea065f121752a2abd99af7707aa91a27f38c2719c58559e23a4648b531c6967207b8e22d85237046d0b918397eb5157f

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 607610e04c69c4745611af79dddf064a
SHA1 bb57da232ed752ebbbc60dc888f892d5fb197b49
SHA256 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345
SHA512 c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 607610e04c69c4745611af79dddf064a
SHA1 bb57da232ed752ebbbc60dc888f892d5fb197b49
SHA256 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345
SHA512 c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 607610e04c69c4745611af79dddf064a
SHA1 bb57da232ed752ebbbc60dc888f892d5fb197b49
SHA256 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345
SHA512 c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8c1834cf87fe57a2144a66d975b94f7f
SHA1 75f88e951ef85a067456647626420b76e063ce45
SHA256 b518443d3960a98558aab736fa8b0a5181f7dc643209b8807d300f2ebbb60256
SHA512 01f1cc803ed20786376970922eefdba9261730afc169ed5d7f0419353ffe9197dc0c283ac0ce1b8ece3afb6acaa4451cc31aad8a7ec527c778b55abe40a743f3

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1eb4344e91ec66cf94e6237f06c5b146
SHA1 647a8f91064c07d7f16b4761687af77b8699c72b
SHA256 67802d28db89d624b7cc7f7f81180977c6e9f97d247f22a194a812922855473a
SHA512 1e7550a83074d6c8d66d97273a65f21745cb94ee20d379eacd2fb3ad30dd8dbcdcd4d176dc754bc9ac6897cf14e350a32416e0b20c3ecce5402bcd310f54bb29

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3aa47241e65252e88a61d791451c797b
SHA1 fbb760aa385102ac646b2cb1431f1078d7746eb7
SHA256 534cdca077995fcfc27b68c0c564fc5721ecabd36ca590fc914661fa649f55b3
SHA512 8a6c814a599fe2efd9f09470fd21d1d13fb8a426fc87f1d2eb13e1ca1fa8ed85f67908695591f221560e267161b47063fc0a2607ce6c466ea322480c77b32970

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6c4d552f99a51faa19f26e08e90758dc
SHA1 2c28edb10ace66c9da8416ac1f6837637630a213
SHA256 0d4cbd3010bebd644a4f97685685533e0ccc29105e6a90b2a18c395fb14c4f7f
SHA512 de0d5617508b5649506ce3f2306be089f4f2f1b3342bac6ba43036f132f7fdd783bf0bdd5265cb8c144f0fe710d14d7c1cec729dc74235727bb38f80ad878002

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec