Malware Analysis Report

2025-01-18 06:52

Sample ID 231016-hvlstacc9v
Target 3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03
SHA256 3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03
Tags
amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03

Threat Level: Known bad

The file 3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan

SmokeLoader

Amadey

Glupteba

Djvu Ransomware

Glupteba payload

Detected Djvu ransomware

RedLine payload

RedLine

Vidar

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

Modifies file permissions

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Accesses Microsoft Outlook profiles

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

outlook_win_path

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 07:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 07:03

Reported

2023-10-16 07:06

Platform

win10-20230915-en

Max time kernel

101s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec666076-3bbf-40d6-9b59-cece683eee7c\\319A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\319A.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\614A.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4AD3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4AD3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4AD3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4AD3.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\614A.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3208 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 3208 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 3208 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 3208 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe
PID 3208 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe
PID 3208 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4956 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 3208 wrote to memory of 2216 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3208 wrote to memory of 2216 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2216 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2100 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 772 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 772 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 772 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 772 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 772 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 772 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 772 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 772 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\32F3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 696 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Windows\SysWOW64\icacls.exe
PID 696 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Windows\SysWOW64\icacls.exe
PID 696 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Windows\SysWOW64\icacls.exe
PID 696 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 696 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 696 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 3208 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\44B8.exe
PID 3208 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\44B8.exe
PID 3208 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\44B8.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 1092 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\319A.exe C:\Users\Admin\AppData\Local\Temp\319A.exe
PID 4480 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\44B8.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4480 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\44B8.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4480 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\44B8.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3208 wrote to memory of 4524 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AD3.exe
PID 3208 wrote to memory of 4524 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AD3.exe
PID 3208 wrote to memory of 4524 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AD3.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03.exe

"C:\Users\Admin\AppData\Local\Temp\3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03.exe"

C:\Users\Admin\AppData\Local\Temp\319A.exe

C:\Users\Admin\AppData\Local\Temp\319A.exe

C:\Users\Admin\AppData\Local\Temp\32F3.exe

C:\Users\Admin\AppData\Local\Temp\32F3.exe

C:\Users\Admin\AppData\Local\Temp\319A.exe

C:\Users\Admin\AppData\Local\Temp\319A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\364F.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\364F.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 252

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ec666076-3bbf-40d6-9b59-cece683eee7c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\319A.exe

"C:\Users\Admin\AppData\Local\Temp\319A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\44B8.exe

C:\Users\Admin\AppData\Local\Temp\44B8.exe

C:\Users\Admin\AppData\Local\Temp\319A.exe

"C:\Users\Admin\AppData\Local\Temp\319A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\4AD3.exe

C:\Users\Admin\AppData\Local\Temp\4AD3.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build2.exe

"C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build2.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\614A.exe

C:\Users\Admin\AppData\Local\Temp\614A.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build2.exe

"C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build2.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build3.exe

"C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build3.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\614A.exe

"C:\Users\Admin\AppData\Local\Temp\614A.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build3.exe

"C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 96.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 zexeq.com udp
KR 211.168.53.110:80 colisumy.com tcp
KR 211.181.24.132:80 zexeq.com tcp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
FR 146.59.161.13:39199 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 132.24.181.211.in-addr.arpa udp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
KR 211.181.24.132:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
DE 168.119.243.238:8000 168.119.243.238 tcp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 238.243.119.168.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 175.126.109.15:80 wirtshauspost.at tcp
US 8.8.8.8:53 15.109.126.175.in-addr.arpa udp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
KR 175.126.109.15:80 wirtshauspost.at tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp

Files

memory/4984-1-0x0000000000850000-0x0000000000950000-memory.dmp

memory/4984-2-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/4984-3-0x0000000000830000-0x000000000083B000-memory.dmp

memory/3208-4-0x0000000000740000-0x0000000000756000-memory.dmp

memory/4984-5-0x0000000000400000-0x00000000007CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\319A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\319A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\32F3.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/4956-22-0x0000000004920000-0x00000000049B8000-memory.dmp

memory/4956-23-0x0000000004AC0000-0x0000000004BDB000-memory.dmp

memory/696-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\319A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/696-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/696-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/696-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32F3.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\364F.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

\Users\Admin\AppData\Local\Temp\364F.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2100-34-0x00000000031F0000-0x00000000031F6000-memory.dmp

memory/2100-35-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/1272-36-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1272-49-0x0000000072D80000-0x000000007346E000-memory.dmp

C:\Users\Admin\AppData\Local\ec666076-3bbf-40d6-9b59-cece683eee7c\319A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/1272-52-0x000000000C050000-0x000000000C54E000-memory.dmp

memory/1272-53-0x000000000BC30000-0x000000000BCC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\319A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/696-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1272-57-0x000000000BE10000-0x000000000BE20000-memory.dmp

memory/1272-59-0x000000000BD90000-0x000000000BD9A000-memory.dmp

memory/1092-60-0x0000000004750000-0x00000000047F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44B8.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\44B8.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1936-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\319A.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/1936-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1936-71-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1272-72-0x000000000CB60000-0x000000000D166000-memory.dmp

memory/1272-74-0x000000000C550000-0x000000000C65A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1272-78-0x000000000BE80000-0x000000000BE92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1272-79-0x000000000BEE0000-0x000000000BF1E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 73ffc7a4a131b294fccdec150bc1e57d
SHA1 ed5d819cedfc31d4272e0f739246ddf10bbe0cc5
SHA256 3d9e3c9151f189dbf5f6c54253cedf5818ab79c3cb98f620464990929370c139
SHA512 0d88187310e6fbc17668faadca4fb770f5cbd85bb1496c81e6a31d10efbf33090053812b056910451f040e3097edf8c5f80f7fa88fd06dd31f5a8768e2501c9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 639acdaace58c43d0f7bd1e39500f3e9
SHA1 5cbd8726f735229378f02c46f21a999f97ecadcd
SHA256 f656a4d01e8098ee56f6ea78e9946b617e1da0958eb882898efb5dc42759aad0
SHA512 7cf8ec1c20a0ca4ac806968170516e1aaabdfb2c5b31cb42405911592283ef18108b404cde5e1d9205b66d27aaf535464923b4486086d7570078d9eb86665bde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fcd6436654dc61b5797d1bc659b8bf28
SHA1 d441d45f1cf8746cbcd16747def5b3a24f0081ef
SHA256 7f98e7219347a95a9c2d2773daadd0553d218c2b0376b2725f2726241247492c
SHA512 56ea8c1286d311db825a2095a4c2365fc56712f658ee6ee7c17e93a6147bbf674e6e14c86be37f4d761357767f9cf3d32d8d947bb97d41a56fda1012f63e7561

memory/1272-84-0x000000000BF20000-0x000000000BF6B000-memory.dmp

memory/1936-85-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1936-88-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4AD3.exe

MD5 e9fb654e3c0663dafa388c2983682485
SHA1 155aefc6c6f3127e1a7bd39da961e4806ef67bf5
SHA256 416583add0ae54eb87b382e7257fb5e88060304a0130f194678213a901675630
SHA512 254bc282c752de00abea74025dae3ee26748ff9c95e8d6eb9e0e4370e44a084e51f44a44f7a0b85941d7e0e82cd2ef98fbaedf7d9392b54c1da83b2c6a452cb4

C:\Users\Admin\AppData\Local\Temp\4AD3.exe

MD5 e9fb654e3c0663dafa388c2983682485
SHA1 155aefc6c6f3127e1a7bd39da961e4806ef67bf5
SHA256 416583add0ae54eb87b382e7257fb5e88060304a0130f194678213a901675630
SHA512 254bc282c752de00abea74025dae3ee26748ff9c95e8d6eb9e0e4370e44a084e51f44a44f7a0b85941d7e0e82cd2ef98fbaedf7d9392b54c1da83b2c6a452cb4

memory/1936-98-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1936-100-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1936-101-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4524-104-0x00000000001E0000-0x00000000001EB000-memory.dmp

memory/4524-105-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/4524-103-0x0000000000830000-0x0000000000930000-memory.dmp

memory/1272-109-0x0000000072D80000-0x000000007346E000-memory.dmp

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1936-114-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2100-115-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/1272-116-0x000000000BE10000-0x000000000BE20000-memory.dmp

memory/2100-118-0x0000000005100000-0x0000000005223000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\614A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\614A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/5072-124-0x00000000025F0000-0x00000000026F0000-memory.dmp

memory/5072-126-0x00000000023E0000-0x0000000002431000-memory.dmp

memory/2100-125-0x0000000005230000-0x0000000005338000-memory.dmp

memory/2224-127-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2224-129-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2224-130-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2224-137-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1936-136-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2100-141-0x0000000005230000-0x0000000005338000-memory.dmp

memory/1272-145-0x000000000C700000-0x000000000C766000-memory.dmp

memory/1784-146-0x0000000002F50000-0x0000000002FBB000-memory.dmp

memory/1784-148-0x0000000003200000-0x0000000003275000-memory.dmp

memory/2100-147-0x0000000005230000-0x0000000005338000-memory.dmp

memory/1784-149-0x0000000002F50000-0x0000000002FBB000-memory.dmp

memory/4524-153-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/4924-152-0x0000000005090000-0x000000000597B000-memory.dmp

memory/1588-154-0x00000000001E0000-0x00000000001EC000-memory.dmp

memory/1588-158-0x00000000001E0000-0x00000000001EC000-memory.dmp

memory/3208-151-0x00000000025D0000-0x00000000025E6000-memory.dmp

memory/4924-150-0x0000000004C80000-0x0000000005082000-memory.dmp

memory/4924-171-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2100-172-0x0000000005230000-0x0000000005338000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1784-180-0x0000000002F50000-0x0000000002FBB000-memory.dmp

memory/1272-185-0x000000000D500000-0x000000000D550000-memory.dmp

memory/2224-193-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2224-306-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1272-474-0x000000000E430000-0x000000000E5F2000-memory.dmp

memory/1272-475-0x000000000EB30000-0x000000000F05C000-memory.dmp

memory/4952-478-0x0000000004740000-0x0000000004776000-memory.dmp

memory/4952-480-0x0000000072D80000-0x000000007346E000-memory.dmp

memory/4952-482-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/2224-484-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4952-486-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4952-489-0x00000000070C0000-0x00000000076E8000-memory.dmp

memory/4952-490-0x0000000006E70000-0x0000000006E92000-memory.dmp

memory/4952-493-0x00000000076F0000-0x0000000007756000-memory.dmp

memory/4952-505-0x0000000007760000-0x0000000007AB0000-memory.dmp

memory/4924-503-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4924-518-0x0000000004C80000-0x0000000005082000-memory.dmp

memory/4952-532-0x0000000006FE0000-0x0000000006FFC000-memory.dmp

memory/4924-541-0x0000000005090000-0x000000000597B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujh5nsg3.j5f.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4952-601-0x00000000080C0000-0x00000000080FC000-memory.dmp

memory/4952-658-0x0000000008DF0000-0x0000000008E66000-memory.dmp

memory/4952-674-0x00000000099A0000-0x00000000099D3000-memory.dmp

memory/4952-675-0x00000000704D0000-0x000000007051B000-memory.dmp

memory/4952-677-0x0000000009980000-0x000000000999E000-memory.dmp

memory/4952-676-0x000000006B9E0000-0x000000006BD30000-memory.dmp

memory/4924-673-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4952-682-0x00000000099E0000-0x0000000009A85000-memory.dmp

memory/4952-684-0x0000000072D80000-0x000000007346E000-memory.dmp

memory/4952-685-0x000000007EFB0000-0x000000007EFC0000-memory.dmp

memory/4952-686-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4952-687-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4952-688-0x0000000009DE0000-0x0000000009E74000-memory.dmp

memory/4952-710-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/1272-763-0x0000000072D80000-0x000000007346E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\614A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Roaming\sgtsher

MD5 e9fb654e3c0663dafa388c2983682485
SHA1 155aefc6c6f3127e1a7bd39da961e4806ef67bf5
SHA256 416583add0ae54eb87b382e7257fb5e88060304a0130f194678213a901675630
SHA512 254bc282c752de00abea74025dae3ee26748ff9c95e8d6eb9e0e4370e44a084e51f44a44f7a0b85941d7e0e82cd2ef98fbaedf7d9392b54c1da83b2c6a452cb4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0501d3cb724fcfcdfd473889b758ea3b
SHA1 37ca292a5d4f5d66b5ea40784e293c4be899678b
SHA256 162ef0f13e84a93d9a7e6b165fb2c81ae5132ecc461627a2664decacc408c7d8
SHA512 c369cf549b4b7468225df67b7dd670610fb0ab281cbcfc48ca9552cb399fb38175051231ae66dbe5a272c8456de7d56daa5b74c8c8488016765dc297d94296d4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 45110d0f6ace394f2b7bf71263126f3c
SHA1 e8b15b0f9a92ee2ce917086c640da10acdb1f1cc
SHA256 8c45b4a271f638bdaedf59ac15756ee792d055fa7172ea826deafc413e461c73
SHA512 aa70900fac97505cd498f9fce085a768ba8e27da0d7fc5e580d75acb0ddd24d4b2c966adbfbebd3bfbf6f287a0cf918d67b27f270e2751da252eb4c0761d04de

C:\Users\Admin\AppData\Local\785ff61d-509b-42a3-98bb-ab8bb31c9b52\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319