Malware Analysis Report

2025-01-18 06:45

Sample ID 231016-fs459sbg7t
Target file.exe
SHA256 2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware trojan upx vidar d37c48c18c73cc0e155c7e1dfde06db9 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware trojan upx vidar d37c48c18c73cc0e155c7e1dfde06db9 stealer

Detected Djvu ransomware

Vidar

Glupteba payload

SmokeLoader

RedLine payload

RedLine

Amadey

Glupteba

Djvu Ransomware

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-16 05:09

Reported

2023-10-16 05:12

Platform

win10v2004-20230915-en

Max time kernel

66s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\73F6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6C03.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a1f4001e-fb38-41be-85a0-2ba5855a68d5\\6C03.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6C03.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\windefender.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\windefender.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\825F.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\79B3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\79B3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\79B3.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\825F.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\825F.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\windefender.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3164 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3164 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3164 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe
PID 3164 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe
PID 3164 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe
PID 3164 wrote to memory of 984 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3164 wrote to memory of 984 N/A N/A C:\Windows\system32\regsvr32.exe
PID 984 wrote to memory of 996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 984 wrote to memory of 996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 984 wrote to memory of 996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 3312 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Users\Admin\AppData\Local\Temp\6C03.exe
PID 464 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\6D2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3164 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\Temp\73F6.exe
PID 3164 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\Temp\73F6.exe
PID 3164 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\Temp\73F6.exe
PID 2040 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\73F6.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2040 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\73F6.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2040 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\73F6.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3164 wrote to memory of 2180 N/A N/A C:\Users\Admin\AppData\Local\Temp\79B3.exe
PID 3164 wrote to memory of 2180 N/A N/A C:\Users\Admin\AppData\Local\Temp\79B3.exe
PID 3164 wrote to memory of 2180 N/A N/A C:\Users\Admin\AppData\Local\Temp\79B3.exe
PID 1712 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Windows\SysWOW64\icacls.exe
PID 1240 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Windows\SysWOW64\icacls.exe
PID 1240 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6C03.exe C:\Windows\SysWOW64\icacls.exe
PID 3164 wrote to memory of 3544 N/A N/A C:\Users\Admin\AppData\Local\Temp\825F.exe
PID 3164 wrote to memory of 3544 N/A N/A C:\Users\Admin\AppData\Local\Temp\825F.exe
PID 3164 wrote to memory of 3544 N/A N/A C:\Users\Admin\AppData\Local\Temp\825F.exe
PID 3164 wrote to memory of 4836 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3164 wrote to memory of 4836 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3164 wrote to memory of 4836 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3164 wrote to memory of 4836 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3164 wrote to memory of 4756 N/A N/A C:\Windows\explorer.exe
PID 3164 wrote to memory of 4756 N/A N/A C:\Windows\explorer.exe
PID 3164 wrote to memory of 4756 N/A N/A C:\Windows\explorer.exe
PID 3180 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3180 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3180 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3180 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\6C03.exe

C:\Users\Admin\AppData\Local\Temp\6C03.exe

C:\Users\Admin\AppData\Local\Temp\6D2D.exe

C:\Users\Admin\AppData\Local\Temp\6D2D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6F70.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6F70.dll

C:\Users\Admin\AppData\Local\Temp\6C03.exe

C:\Users\Admin\AppData\Local\Temp\6C03.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 464 -ip 464

C:\Users\Admin\AppData\Local\Temp\73F6.exe

C:\Users\Admin\AppData\Local\Temp\73F6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 288

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\79B3.exe

C:\Users\Admin\AppData\Local\Temp\79B3.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a1f4001e-fb38-41be-85a0-2ba5855a68d5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\825F.exe

C:\Users\Admin\AppData\Local\Temp\825F.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\6C03.exe

"C:\Users\Admin\AppData\Local\Temp\6C03.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6C03.exe

"C:\Users\Admin\AppData\Local\Temp\6C03.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\825F.exe

"C:\Users\Admin\AppData\Local\Temp\825F.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
UY 179.25.146.192:80 wirtshauspost.at tcp
UY 179.25.146.192:80 wirtshauspost.at tcp
US 8.8.8.8:53 192.146.25.179.in-addr.arpa udp
UY 179.25.146.192:80 wirtshauspost.at tcp
UY 179.25.146.192:80 wirtshauspost.at tcp
UY 179.25.146.192:80 wirtshauspost.at tcp
UY 179.25.146.192:80 wirtshauspost.at tcp
UY 179.25.146.192:80 wirtshauspost.at tcp
UY 179.25.146.192:80 wirtshauspost.at tcp
UY 179.25.146.192:80 wirtshauspost.at tcp
UY 179.25.146.192:80 wirtshauspost.at tcp
UY 179.25.146.192:80 wirtshauspost.at tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
UY 179.25.146.192:80 wirtshauspost.at tcp
US 8.8.8.8:53 feaf5412-50f7-450f-a5f2-f95eda7d1502.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server16.thestatsfiles.ru udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/4348-1-0x00000000007F0000-0x00000000008F0000-memory.dmp

memory/4348-2-0x0000000000990000-0x000000000099B000-memory.dmp

memory/4348-3-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/3164-4-0x0000000002E00000-0x0000000002E16000-memory.dmp

memory/4348-5-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/4348-8-0x0000000000990000-0x000000000099B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6C03.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\6C03.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\6D2D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\6D2D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3312-27-0x00000000049F0000-0x0000000004B0B000-memory.dmp

memory/3312-26-0x00000000048A0000-0x0000000004932000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F70.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/1240-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6C03.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/1240-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1240-32-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F70.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/1240-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4356-37-0x0000000000400000-0x000000000043E000-memory.dmp

memory/996-35-0x0000000002A70000-0x0000000002A76000-memory.dmp

memory/996-36-0x0000000010000000-0x00000000101E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\73F6.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\73F6.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4356-45-0x0000000073A60000-0x0000000074210000-memory.dmp

memory/4356-47-0x0000000007380000-0x0000000007412000-memory.dmp

memory/4356-46-0x0000000007930000-0x0000000007ED4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4356-52-0x0000000007560000-0x0000000007570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4356-58-0x0000000007460000-0x000000000746A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79B3.exe

MD5 df7a50c002e636cf21e25eaa5d53e00d
SHA1 8cc44f318e30860c1c03cdf03560d5e2df171904
SHA256 1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA512 25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

C:\Users\Admin\AppData\Local\Temp\79B3.exe

MD5 df7a50c002e636cf21e25eaa5d53e00d
SHA1 8cc44f318e30860c1c03cdf03560d5e2df171904
SHA256 1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA512 25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

memory/4356-67-0x0000000008500000-0x0000000008B18000-memory.dmp

memory/4356-69-0x0000000007770000-0x000000000787A000-memory.dmp

memory/4356-70-0x0000000007540000-0x0000000007552000-memory.dmp

memory/4356-71-0x00000000076A0000-0x00000000076DC000-memory.dmp

memory/4356-72-0x00000000076E0000-0x000000000772C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\825F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\825F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4836-79-0x0000000001600000-0x000000000166B000-memory.dmp

memory/4836-81-0x0000000001600000-0x000000000166B000-memory.dmp

memory/4836-80-0x0000000001670000-0x00000000016E5000-memory.dmp

memory/4756-82-0x0000000000D80000-0x0000000000D8C000-memory.dmp

memory/4756-84-0x0000000000D80000-0x0000000000D8C000-memory.dmp

memory/2180-86-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

memory/2180-87-0x00000000008E0000-0x00000000008EB000-memory.dmp

memory/4756-83-0x0000000000D90000-0x0000000000D97000-memory.dmp

memory/2180-91-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/1240-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3544-99-0x0000000004DF0000-0x00000000051F4000-memory.dmp

memory/3544-112-0x0000000005200000-0x0000000005AEB000-memory.dmp

memory/3544-113-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\a1f4001e-fb38-41be-85a0-2ba5855a68d5\6C03.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/4836-115-0x0000000001600000-0x000000000166B000-memory.dmp

memory/1240-116-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6C03.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/4356-121-0x0000000073A60000-0x0000000074210000-memory.dmp

memory/4356-123-0x0000000007F60000-0x0000000007FC6000-memory.dmp

memory/4356-122-0x0000000007560000-0x0000000007570000-memory.dmp

memory/3908-124-0x0000000004760000-0x00000000047F7000-memory.dmp

memory/3292-127-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3292-128-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6C03.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/3292-131-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2180-133-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/3164-132-0x0000000002D90000-0x0000000002DA6000-memory.dmp

memory/996-130-0x0000000002DC0000-0x0000000002EE3000-memory.dmp

memory/996-136-0x0000000002F00000-0x0000000003008000-memory.dmp

memory/996-137-0x0000000002F00000-0x0000000003008000-memory.dmp

memory/996-139-0x0000000002F00000-0x0000000003008000-memory.dmp

memory/3544-141-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/996-143-0x0000000002F00000-0x0000000003008000-memory.dmp

memory/4356-144-0x0000000009BF0000-0x0000000009C40000-memory.dmp

memory/1988-145-0x0000000002E40000-0x0000000002E76000-memory.dmp

memory/1988-146-0x0000000073A60000-0x0000000074210000-memory.dmp

memory/1988-147-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

memory/1988-149-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

memory/1988-148-0x0000000005600000-0x0000000005C28000-memory.dmp

memory/4356-151-0x0000000009C40000-0x0000000009E02000-memory.dmp

memory/1988-157-0x0000000005D00000-0x0000000005D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2udqdm1k.ddg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1988-150-0x0000000005C60000-0x0000000005C82000-memory.dmp

memory/4356-162-0x000000000A340000-0x000000000A86C000-memory.dmp

memory/1988-163-0x0000000005F50000-0x00000000062A4000-memory.dmp

memory/1988-164-0x00000000063E0000-0x00000000063FE000-memory.dmp

memory/3544-165-0x0000000004DF0000-0x00000000051F4000-memory.dmp

memory/3544-166-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4356-168-0x0000000073A60000-0x0000000074210000-memory.dmp

memory/1988-169-0x00000000075D0000-0x0000000007614000-memory.dmp

memory/1988-170-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

memory/1988-171-0x0000000007720000-0x0000000007796000-memory.dmp

memory/1988-172-0x0000000007E20000-0x000000000849A000-memory.dmp

memory/1988-173-0x00000000077C0000-0x00000000077DA000-memory.dmp

memory/1988-174-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

memory/1988-176-0x0000000072090000-0x00000000720DC000-memory.dmp

memory/1988-175-0x0000000007970000-0x00000000079A2000-memory.dmp

memory/1988-177-0x000000006C0E0000-0x000000006C434000-memory.dmp

memory/1988-187-0x0000000007950000-0x000000000796E000-memory.dmp

memory/1988-188-0x00000000079B0000-0x0000000007A53000-memory.dmp

memory/1988-189-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

memory/1988-190-0x0000000007BB0000-0x0000000007C46000-memory.dmp

memory/1988-191-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

memory/1988-192-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\825F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3544-200-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\giivets

MD5 df7a50c002e636cf21e25eaa5d53e00d
SHA1 8cc44f318e30860c1c03cdf03560d5e2df171904
SHA256 1b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA512 25a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4def12c4e29e858226d39bec993c46df
SHA1 622abbbbe220a5a73b882c7a650d94a00ac10fe9
SHA256 d2c55f0fdcc9c3294605af9491ba1f322b2e96c0164094c765977eb3250b6544
SHA512 f820fda16c3d02194f885bcd1ca3dfc5be1ffd2fea12a3118ac7a0564fecf21270243deed4b8c7949ee033e7169d517a4f9ce19975fa553f260e46f1312f860f

memory/1796-257-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 788d49c1cfe8344dedb1605e9eb30b37
SHA1 f8978522b0281d1132214e8f683800ffefb9d1c0
SHA256 f8f0c4e8467a1c578590ff38fdc10d2d783e5803d6f09a8dd910e262b90bd772
SHA512 24a790eeafe9abe0e58139d858f2ba9979353980d79f9ad428e7720e4fd3a9291234525d57f40cc4f36041416e6f985b9cf01e04417ace337e4b9400318b83e5

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1796-304-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d02079b5e3b216e3fab4d5698cdce09
SHA1 84ecc5c40665d3064321d017c09f1c0f0a293034
SHA256 2f166571029b9e477fbc4e45153fb540f29dd192e211bd7b01c3def8c2c7cb02
SHA512 94bcd8ecb5bfebc5966e0a145e824c7628950d11cf15aebc214e17b7b7b3a6d2f2a45d0b69fc74a9fa0628c5e889d67cbd7c0676d2c4b707643e886543940cfd

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8bdb7d59a7670eb32fd7c9f8e8b5cf68
SHA1 494bc1197fdbfeaa2f6652acc516320d4a04164c
SHA256 4ca48c0bd35d09dfc8db68ad225ff71b33c6d76114eee3e2db612b48263fe763
SHA512 2d93435a56b8207fc1fb9d373060d50cdb3a5fc4a2fd3a28473afff2a0381ab1cf3d680b14dddd929da456f1cb7384a7bb43b6d74a507e673271548f7ee6c5ac

memory/1924-366-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9dd14a10db886cb89d71ba961a46466e
SHA1 7401ea7f7ec0616992857edab45a6f9930ae4252
SHA256 e379d920472d0aab12f56039fceede0f2dc29cf19334a5717a622d50d4af0664
SHA512 906ae04bdc348c36aa8da0ad7e51cd66c0a49ea5a11f71160955641239684d6062f2e70764897abaad243b8b411e9b59ce5b69ce2cef3c95a8cfcdace3dff453

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1924-405-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/692-413-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1924-415-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4152-416-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1924-418-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1924-421-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4152-422-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1924-424-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1924-428-0x0000000000400000-0x0000000002FB8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 05:09

Reported

2023-10-16 05:11

Platform

win7-20230831-en

Max time kernel

36s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bfd34d28-25c5-4f1d-9085-aa769075e7c6\\9F8A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9F8A.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\A1CC.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 1228 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 1228 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 1228 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 1228 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe
PID 1228 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe
PID 1228 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe
PID 1228 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe
PID 2816 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9F8A.exe C:\Users\Admin\AppData\Local\Temp\9F8A.exe
PID 1228 wrote to memory of 2680 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1228 wrote to memory of 2680 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1228 wrote to memory of 2680 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1228 wrote to memory of 2680 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1228 wrote to memory of 2680 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2680 wrote to memory of 2576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2680 wrote to memory of 2576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2680 wrote to memory of 2576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2680 wrote to memory of 2576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2680 wrote to memory of 2576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2680 wrote to memory of 2576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2680 wrote to memory of 2576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2756 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1228 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB02.exe
PID 1228 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB02.exe
PID 1228 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB02.exe
PID 1228 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB02.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2756 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2756 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\AB02.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2756 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2756 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\A1CC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\AB02.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\AB02.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2572 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\AB02.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2252 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2252 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

C:\Users\Admin\AppData\Local\Temp\A1CC.exe

C:\Users\Admin\AppData\Local\Temp\A1CC.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A768.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A768.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\AB02.exe

C:\Users\Admin\AppData\Local\Temp\AB02.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 80

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\bfd34d28-25c5-4f1d-9085-aa769075e7c6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

"C:\Users\Admin\AppData\Local\Temp\9F8A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

"C:\Users\Admin\AppData\Local\Temp\9F8A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B7CF.exe

C:\Users\Admin\AppData\Local\Temp\B7CF.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {2247605D-D5AC-472A-9EAC-59F57C98A5BB} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\ctctidd

C:\Users\Admin\AppData\Roaming\ctctidd

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe

"C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe"

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe

"C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016051009.log C:\Windows\Logs\CBS\CbsPersist_20231016051009.cab

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe

"C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe"

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe

"C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe"

C:\Users\Admin\AppData\Local\Temp\B7CF.exe

"C:\Users\Admin\AppData\Local\Temp\B7CF.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.97.1:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.97.1:443 api.2ip.ua tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.168.53.110:80 zexeq.com tcp
AR 181.170.86.159:80 colisumy.com tcp
FR 146.59.161.13:39199 tcp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 6816b51c-3741-42e6-9dcf-87b1e527318c.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp

Files

memory/2208-1-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/2208-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2208-3-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/1228-4-0x00000000029A0000-0x00000000029B6000-memory.dmp

memory/2208-5-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2208-8-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2816-21-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2816-22-0x0000000000220000-0x00000000002B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2816-26-0x0000000004590000-0x00000000046AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2092-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2816-36-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2092-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2092-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A768.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

\Users\Admin\AppData\Local\Temp\A768.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Local\Temp\AB02.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2520-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2520-47-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2520-63-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2520-60-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2520-58-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2576-46-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2576-45-0x0000000000190000-0x0000000000196000-memory.dmp

memory/2520-52-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB02.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2520-44-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2520-43-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\A1CC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\bfd34d28-25c5-4f1d-9085-aa769075e7c6\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2520-95-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/1320-96-0x0000000002CC0000-0x0000000002D51000-memory.dmp

memory/2092-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1320-97-0x0000000002CC0000-0x0000000002D51000-memory.dmp

\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\9F8A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/548-109-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2060-111-0x0000000004800000-0x0000000004BF8000-memory.dmp

memory/548-112-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7CF.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\B7CF.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1492-114-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1492-115-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1492-116-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/2060-117-0x0000000004800000-0x0000000004BF8000-memory.dmp

memory/2060-121-0x0000000004C00000-0x00000000054EB000-memory.dmp

memory/1940-123-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2060-132-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1940-133-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2520-134-0x00000000073B0000-0x00000000073F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC10E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/1492-147-0x00000000000C0000-0x000000000012B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6bf6c443988dbc968a029444a6913b1
SHA1 9720aac47b49ecfd5efecce3bd1eb756938aea41
SHA256 a384fd25df2cad24b46aff85cbb1f055da0770941d9b2c1347fe03cbe8eabbe8
SHA512 af05cb1f69634655827c63f244cb7964ab8f4a35915db9fcea1b8af6147738f6cd96b94f6d0830249cb80edae67cdeff22875cb0b9353729ea6709f0667d9d1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8dff1deb316ed3b52ed54a32225b45d8
SHA1 ec2016da91ebb2988062c07a60dabade66005233
SHA256 f5e74d07e4ecd6372a3aa10640d51a50370e744c7284a4201b87f526cf4c24f0
SHA512 f2af9cb36016f7af3a54c7f1416bb1b90dd7f96add0afa3b1e25122ae7be641631120ec7b0af286f0208fab8fca97eb47dabad77649026e2d4370b389f9ef575

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 aab2c0ac341d244950bd1fc232f6cd54
SHA1 024cc43041e8f4e0a113e1c5eafa28dc7afe778d
SHA256 a9fc1e5ea4a6d391f361aafe110970589f2d25665e456f43c9f16fa0c716bddd
SHA512 8bd7c9d0a827e0444cff4201ccac65a024c8147300c5cdad85a32f409d25b4b37e6ba85598fbb3c1b87a731c260091d7ad2dedc3e062cc159cdb16e7022537d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 503d5551ecbd2b7d971fc87558994b62
SHA1 9534b4857c34e88805f5cd8a73fda25f9dd01fc3
SHA256 79e2cd6b36f31b1b5dd3f09324a88d1a296632669e427663b33b928910d2cd3b
SHA512 ceb7058738d156881b0088e711095a12d53412043aa70e430ffb7d40f256d51a584331b3138b7046f2935852e2a23d5444c4dd4a8c4bfba7bcc8fe496206ed13

memory/2520-148-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/548-150-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-151-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7CF.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/548-153-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2576-154-0x00000000023F0000-0x0000000002513000-memory.dmp

memory/2576-155-0x0000000001EA0000-0x0000000001FA8000-memory.dmp

memory/548-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2576-160-0x0000000001EA0000-0x0000000001FA8000-memory.dmp

memory/548-165-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2576-166-0x0000000001EA0000-0x0000000001FA8000-memory.dmp

memory/2060-164-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2060-167-0x0000000004C00000-0x00000000054EB000-memory.dmp

memory/2060-168-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2576-169-0x0000000001EA0000-0x0000000001FA8000-memory.dmp

memory/548-170-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\ctctidd

MD5 2f13d8ffd6d0a53af1932f2930658f00
SHA1 15c1580a1f05c201b2789a11c94f968ad9133bc7
SHA256 2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900
SHA512 2217de9fcbc6c2e120fedf3034b1bca09d3f16603dda142a1e4e515e8ba000171bb1cb68e4aa2727844a24e03a96fb9c7b7ea62825e25a8771ef9b59eec3acc7

\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2520-184-0x00000000073B0000-0x00000000073F0000-memory.dmp

memory/1976-186-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/1976-187-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1976-188-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/916-191-0x0000000000220000-0x0000000000271000-memory.dmp

memory/916-190-0x0000000002480000-0x0000000002580000-memory.dmp

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2136-193-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2136-195-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2136-198-0x0000000000400000-0x0000000000465000-memory.dmp

\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/548-210-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1976-213-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2060-211-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1228-214-0x0000000002C90000-0x0000000002CA6000-memory.dmp

memory/1976-216-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2060-224-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2960-234-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2960-236-0x00000000003A0000-0x00000000003A4000-memory.dmp

C:\Users\Admin\AppData\Local\4973b4c4-55d0-43fb-bbbe-b9713629355f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\B7CF.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/528-246-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2608-247-0x0000000004A60000-0x0000000004E58000-memory.dmp

memory/2608-248-0x0000000004E60000-0x000000000574B000-memory.dmp

memory/2608-251-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2608-256-0x0000000004A60000-0x0000000004E58000-memory.dmp

memory/2608-257-0x0000000000400000-0x0000000002FB8000-memory.dmp

\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2608-272-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1916-273-0x00000000049A0000-0x0000000004D98000-memory.dmp

memory/1916-274-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1916-282-0x00000000049A0000-0x0000000004D98000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2060-285-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1916-286-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2520-288-0x0000000072F30000-0x000000007361E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/2792-303-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\TarF9EA.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e5ea395d4248e5ac5fb0db8647938c8b
SHA1 1a8f73a0fca56c15abc9b4975148b1ae7c7e45c4
SHA256 675e15c38900ebf76dd8a3731a2040e742105d70e56d8a96ad838e929b08fc9a
SHA512 776c7f68eac558b7211eedca09205b1c1315d8f71324698175bd3fa0b377f574b78c2ec2048b8ece569b64a719eb11d75d8f7af3db638651957dfc968f873cfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc