Malware Analysis Report

2025-01-18 06:28

Sample ID 231016-frlmjadh52
Target 2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900
SHA256 2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware rootkit spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900

Threat Level: Known bad

The file 2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware rootkit spyware trojan upx

Glupteba

Glupteba payload

RedLine

SmokeLoader

Amadey

Detected Djvu ransomware

Djvu Ransomware

RedLine payload

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

UPX packed file

Modifies file permissions

Manipulates WinMonFS driver.

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

outlook_win_path

Checks SCSI registry key(s)

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 05:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 05:06

Reported

2023-10-16 05:09

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4D0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FD3C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f88a49f2-66c8-4831-b1a9-da78505ac601\\FD3C.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FD3C.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8C9.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8C9.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8C9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8C9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DDB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 3164 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 3164 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 3164 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe
PID 3164 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe
PID 3164 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe
PID 3164 wrote to memory of 636 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3164 wrote to memory of 636 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 1792 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 636 wrote to memory of 4496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 4496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 4496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2396 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2396 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FE56.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D0.exe
PID 3164 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D0.exe
PID 3164 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D0.exe
PID 5040 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Windows\SysWOW64\icacls.exe
PID 5040 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Windows\SysWOW64\icacls.exe
PID 5040 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Windows\SysWOW64\icacls.exe
PID 3164 wrote to memory of 4144 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C9.exe
PID 3164 wrote to memory of 4144 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C9.exe
PID 3164 wrote to memory of 4144 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C9.exe
PID 3164 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDB.exe
PID 3164 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDB.exe
PID 3164 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDB.exe
PID 3164 wrote to memory of 3312 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3164 wrote to memory of 3312 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3164 wrote to memory of 3312 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3164 wrote to memory of 3312 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3164 wrote to memory of 4492 N/A N/A C:\Windows\explorer.exe
PID 3164 wrote to memory of 4492 N/A N/A C:\Windows\explorer.exe
PID 3164 wrote to memory of 4492 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\4D0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2636 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\4D0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2636 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\4D0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 5040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 5040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 5040 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe
PID 4724 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\FD3C.exe C:\Users\Admin\AppData\Local\Temp\FD3C.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900.exe

"C:\Users\Admin\AppData\Local\Temp\2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900.exe"

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

C:\Users\Admin\AppData\Local\Temp\FE56.exe

C:\Users\Admin\AppData\Local\Temp\FE56.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7A.dll

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7A.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2396 -ip 2396

C:\Users\Admin\AppData\Local\Temp\4D0.exe

C:\Users\Admin\AppData\Local\Temp\4D0.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 264

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f88a49f2-66c8-4831-b1a9-da78505ac601" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\8C9.exe

C:\Users\Admin\AppData\Local\Temp\8C9.exe

C:\Users\Admin\AppData\Local\Temp\DDB.exe

C:\Users\Admin\AppData\Local\Temp\DDB.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

"C:\Users\Admin\AppData\Local\Temp\FD3C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

"C:\Users\Admin\AppData\Local\Temp\FD3C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1596 -ip 1596

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 568

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\DDB.exe

"C:\Users\Admin\AppData\Local\Temp\DDB.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 72d351a9-02f5-4e8c-9500-59175f92425d.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server3.thestatsfiles.ru udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.128.127:19302 stun.l.google.com udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 188.114.96.0:443 walkinglate.com tcp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

memory/1380-1-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/1380-2-0x0000000002510000-0x000000000251B000-memory.dmp

memory/1380-3-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/1380-5-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/3164-4-0x0000000002B70000-0x0000000002B86000-memory.dmp

memory/1380-8-0x0000000002510000-0x000000000251B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\FE56.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\FE56.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/1792-25-0x0000000004850000-0x00000000048EE000-memory.dmp

memory/1792-26-0x0000000004A10000-0x0000000004B2B000-memory.dmp

memory/5040-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5040-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5040-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/5040-33-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/4496-36-0x0000000000C60000-0x0000000000C66000-memory.dmp

memory/4496-35-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2432-38-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4D0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2432-45-0x0000000072F30000-0x00000000736E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8C9.exe

MD5 df7a50c002e636cf21e25eaa5d53e00d
SHA1 8cc44f318e30860c1c03cdf03560d5e2df171904
SHA256 1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA512 25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

C:\Users\Admin\AppData\Local\Temp\8C9.exe

MD5 df7a50c002e636cf21e25eaa5d53e00d
SHA1 8cc44f318e30860c1c03cdf03560d5e2df171904
SHA256 1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA512 25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2432-58-0x0000000007740000-0x0000000007CE4000-memory.dmp

memory/4144-61-0x0000000000A90000-0x0000000000B90000-memory.dmp

memory/4144-62-0x0000000000A30000-0x0000000000A3B000-memory.dmp

memory/4144-67-0x0000000000400000-0x00000000007CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDB.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\DDB.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4080-72-0x0000000004CF0000-0x00000000050EF000-memory.dmp

memory/4080-73-0x00000000050F0000-0x00000000059DB000-memory.dmp

memory/2432-74-0x0000000007230000-0x00000000072C2000-memory.dmp

memory/4080-75-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\f88a49f2-66c8-4831-b1a9-da78505ac601\FD3C.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/5040-77-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4492-78-0x0000000000880000-0x000000000088C000-memory.dmp

memory/4492-79-0x0000000000890000-0x0000000000897000-memory.dmp

memory/4492-80-0x0000000000880000-0x000000000088C000-memory.dmp

memory/3312-81-0x0000000000D00000-0x0000000000D6B000-memory.dmp

memory/2432-82-0x0000000072F30000-0x00000000736E0000-memory.dmp

memory/3312-83-0x0000000001400000-0x0000000001475000-memory.dmp

memory/3312-84-0x0000000000D00000-0x0000000000D6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3164-88-0x00000000085D0000-0x00000000085E6000-memory.dmp

memory/4144-90-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/5040-113-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/3312-117-0x0000000000D00000-0x0000000000D6B000-memory.dmp

memory/2572-119-0x00000000048D0000-0x0000000004965000-memory.dmp

memory/4080-121-0x0000000004CF0000-0x00000000050EF000-memory.dmp

memory/1596-123-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-125-0x00000000050F0000-0x00000000059DB000-memory.dmp

memory/1596-124-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1596-127-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD3C.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/4080-128-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2432-129-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4080-132-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4496-133-0x0000000002A60000-0x0000000002B83000-memory.dmp

memory/4496-134-0x0000000002B90000-0x0000000002C98000-memory.dmp

memory/4496-135-0x0000000002B90000-0x0000000002C98000-memory.dmp

memory/2432-136-0x0000000007220000-0x000000000722A000-memory.dmp

memory/4496-138-0x0000000002B90000-0x0000000002C98000-memory.dmp

memory/4496-139-0x0000000002B90000-0x0000000002C98000-memory.dmp

memory/932-140-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

memory/932-142-0x0000000072F30000-0x00000000736E0000-memory.dmp

memory/932-143-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/2432-141-0x0000000008310000-0x0000000008928000-memory.dmp

memory/932-145-0x0000000005540000-0x0000000005B68000-memory.dmp

memory/2432-144-0x00000000075D0000-0x00000000076DA000-memory.dmp

memory/2432-147-0x0000000007490000-0x00000000074A2000-memory.dmp

memory/932-146-0x0000000005450000-0x0000000005472000-memory.dmp

memory/932-148-0x0000000005BE0000-0x0000000005C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfzfiwou.qtm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2432-149-0x0000000007500000-0x000000000753C000-memory.dmp

memory/932-155-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/2432-156-0x0000000007540000-0x000000000758C000-memory.dmp

memory/932-161-0x0000000005DC0000-0x0000000006114000-memory.dmp

memory/932-162-0x00000000063C0000-0x00000000063DE000-memory.dmp

memory/932-163-0x0000000006910000-0x0000000006954000-memory.dmp

memory/932-164-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/932-165-0x0000000007700000-0x0000000007776000-memory.dmp

memory/932-166-0x0000000007E00000-0x000000000847A000-memory.dmp

memory/932-167-0x0000000007780000-0x000000000779A000-memory.dmp

memory/4080-168-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/932-169-0x0000000072F30000-0x00000000736E0000-memory.dmp

memory/932-170-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/932-171-0x000000007F9E0000-0x000000007F9F0000-memory.dmp

memory/932-172-0x0000000007940000-0x0000000007972000-memory.dmp

memory/932-173-0x0000000071540000-0x000000007158C000-memory.dmp

memory/932-174-0x000000006BD30000-0x000000006C084000-memory.dmp

memory/932-184-0x0000000007920000-0x000000000793E000-memory.dmp

memory/932-185-0x0000000007980000-0x0000000007A23000-memory.dmp

memory/932-186-0x0000000007A90000-0x0000000007A9A000-memory.dmp

memory/932-187-0x0000000007B50000-0x0000000007BE6000-memory.dmp

memory/932-188-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/932-189-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

memory/932-190-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

memory/932-191-0x0000000007B00000-0x0000000007B14000-memory.dmp

memory/932-192-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDB.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4080-199-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\jdwsudu

MD5 df7a50c002e636cf21e25eaa5d53e00d
SHA1 8cc44f318e30860c1c03cdf03560d5e2df171904
SHA256 1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA512 25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 90c8a1fc9962a4ba68393c0784964b48
SHA1 a28d0d931c9de75600536396684613b242c11dd8
SHA256 da12304caee5de20c0354fe38e25b5a57d4da0d870cfce2fcb4bb9b12523c663
SHA512 1f793f32733d7853d83b3834fd0761b1fb40c9267b9cf8594000f67d7e0988a5206f0c9f63a9a7bb9f7870d0274b29171a23e6ec665bd184578e37730e0f6590

memory/404-260-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 de5e9f81245a0778cc0ca2a52ae8bf52
SHA1 03e97b2ef744b83af4072648dd7585f2185287ac
SHA256 1dc9cbea029cad9aeaf67963926bcd53d6a81cd72b95f308ae678b9ff42e4894
SHA512 f30675133b8321d3c7b58238b8619f318f46b72ab0c0e89d39a61863abad2c547d2168e097ee2ea552e5911996a837932141ae105a3e48d90e2a15e052ce352d

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/404-310-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 19ffd6f46267abec67922268b8419458
SHA1 6e59fbee443b3a6178d90a89e32f99b0b6933506
SHA256 d56802126b1ad98427ff0fb873776bad9319105aa193ebc8bb8cfbe5d7bf746e
SHA512 714c7ecbb8b4641ef3f64d618334cf9ff82cacf0d40cea12b2b40342aaa5611e353939fe16acbc182fb52d0fecab81e0b532a1b55b2c9877716d9f16414d935f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d3f02f439de585bf787964079a5e02a2
SHA1 d233f84f0254c6771e2560e2901bb0903ce029cc
SHA256 f0c49f9ab26b950ea4dce55fe20153e86583058f22a09d59e8b20ad584993118
SHA512 3ca2973a7174515d2b205f1a0e73998ec68f674ba5bad15a68f97fdb6a22f892712e5c53629279c4e17ac8759ed602c70a8e7063bf30adffd530edc4c778e973

memory/3884-373-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c9bc1575f3927f1c209a60fb9d6372ba
SHA1 26827fca9b05dcb8e14bd87ca1d58b327afa1be0
SHA256 39e435ea8c2bb2684b7d3fb9a427e9a3e35e92064e5c3faacb1593420472d133
SHA512 db10c1914fa18e0e1e9eae34d3691892a6865fda71bd98b4f78820d49dc2a5b7515abd67821db4225039ed7ca79e99a45e244f823eda17223745c4466f47c836

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3884-413-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1772-420-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3884-421-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4844-423-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3884-424-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3884-428-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4844-430-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3884-431-0x0000000000400000-0x0000000002FB8000-memory.dmp