Malware Analysis Report

2025-01-18 05:27

Sample ID 231016-px1hbagf25
Target 0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f
SHA256 0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f
Tags
amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f

Threat Level: Known bad

The file 0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware stealer themida trojan

Glupteba payload

RedLine payload

Detected Djvu ransomware

Djvu Ransomware

SmokeLoader

Vidar

RedLine

Glupteba

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Themida packer

Checks BIOS information in registry

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Modifies file permissions

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

outlook_win_path

Modifies data under HKEY_USERS

Creates scheduled task(s)

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 12:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 12:43

Reported

2023-10-16 12:46

Platform

win10-20230915-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3D82.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3D82.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3D82.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4a9ed65e-6a86-4302-93d7-ba3398f754d2\\39D8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\39D8.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3D82.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D82.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\51F8.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\51F8.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\51F8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51F8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3D82.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5D44.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3136 wrote to memory of 5076 N/A N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 3136 wrote to memory of 5076 N/A N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 3136 wrote to memory of 5076 N/A N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 3136 wrote to memory of 828 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D82.exe
PID 3136 wrote to memory of 828 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D82.exe
PID 3136 wrote to memory of 828 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D82.exe
PID 3136 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe
PID 3136 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe
PID 3136 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 5076 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Users\Admin\AppData\Local\Temp\39D8.exe
PID 3136 wrote to memory of 1940 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3136 wrote to memory of 1940 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1940 wrote to memory of 5112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 5112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 5112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3F58.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3136 wrote to memory of 4340 N/A N/A C:\Users\Admin\AppData\Local\Temp\4A08.exe
PID 3136 wrote to memory of 4340 N/A N/A C:\Users\Admin\AppData\Local\Temp\4A08.exe
PID 3136 wrote to memory of 4340 N/A N/A C:\Users\Admin\AppData\Local\Temp\4A08.exe
PID 4340 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\4A08.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4340 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\4A08.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4340 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\4A08.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4800 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Windows\SysWOW64\icacls.exe
PID 4800 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Windows\SysWOW64\icacls.exe
PID 4800 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\39D8.exe C:\Windows\SysWOW64\icacls.exe
PID 4344 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\Temp\51F8.exe
PID 3136 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\Temp\51F8.exe
PID 3136 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\Temp\51F8.exe
PID 3136 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D44.exe
PID 3136 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D44.exe
PID 3136 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D44.exe
PID 3136 wrote to memory of 1648 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3136 wrote to memory of 1648 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3136 wrote to memory of 1648 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3136 wrote to memory of 1648 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2328 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f.exe

"C:\Users\Admin\AppData\Local\Temp\0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f.exe"

C:\Users\Admin\AppData\Local\Temp\39D8.exe

C:\Users\Admin\AppData\Local\Temp\39D8.exe

C:\Users\Admin\AppData\Local\Temp\3D82.exe

C:\Users\Admin\AppData\Local\Temp\3D82.exe

C:\Users\Admin\AppData\Local\Temp\3F58.exe

C:\Users\Admin\AppData\Local\Temp\3F58.exe

C:\Users\Admin\AppData\Local\Temp\39D8.exe

C:\Users\Admin\AppData\Local\Temp\39D8.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4506.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\4506.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\4A08.exe

C:\Users\Admin\AppData\Local\Temp\4A08.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 144

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4a9ed65e-6a86-4302-93d7-ba3398f754d2" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\51F8.exe

C:\Users\Admin\AppData\Local\Temp\51F8.exe

C:\Users\Admin\AppData\Local\Temp\5D44.exe

C:\Users\Admin\AppData\Local\Temp\5D44.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\39D8.exe

"C:\Users\Admin\AppData\Local\Temp\39D8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\39D8.exe

"C:\Users\Admin\AppData\Local\Temp\39D8.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build2.exe

"C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build2.exe"

C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build2.exe

"C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1756

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\5D44.exe

"C:\Users\Admin\AppData\Local\Temp\5D44.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 105.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
AR 186.182.55.44:80 zexeq.com tcp
PE 190.12.87.61:80 zexeq.com tcp
US 8.8.8.8:53 44.55.182.186.in-addr.arpa udp
US 8.8.8.8:53 61.87.12.190.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
PE 190.12.87.61:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
DE 128.140.102.206:8000 128.140.102.206 tcp
US 8.8.8.8:53 206.102.140.128.in-addr.arpa udp
US 8.8.8.8:53 96.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
IR 2.180.10.7:80 wirtshauspost.at tcp
IR 2.180.10.7:80 wirtshauspost.at tcp
US 8.8.8.8:53 7.10.180.2.in-addr.arpa udp
IR 2.180.10.7:80 wirtshauspost.at tcp
IR 2.180.10.7:80 wirtshauspost.at tcp
IR 2.180.10.7:80 wirtshauspost.at tcp
IR 2.180.10.7:80 wirtshauspost.at tcp
IR 2.180.10.7:80 wirtshauspost.at tcp
IR 2.180.10.7:80 wirtshauspost.at tcp
IR 2.180.10.7:80 wirtshauspost.at tcp
IR 2.180.10.7:80 wirtshauspost.at tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/5048-1-0x0000000000A50000-0x0000000000B50000-memory.dmp

memory/5048-2-0x0000000000910000-0x000000000091B000-memory.dmp

memory/5048-3-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/3136-4-0x00000000013F0000-0x0000000001406000-memory.dmp

memory/5048-6-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/5048-8-0x0000000000910000-0x000000000091B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39D8.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\39D8.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\3D82.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\3D82.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/828-23-0x0000000000150000-0x00000000008F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F58.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/828-28-0x0000000076D50000-0x0000000076F12000-memory.dmp

memory/828-30-0x0000000076D50000-0x0000000076F12000-memory.dmp

memory/828-31-0x0000000074D50000-0x0000000074E20000-memory.dmp

memory/828-33-0x0000000074D50000-0x0000000074E20000-memory.dmp

memory/828-34-0x00000000771F4000-0x00000000771F5000-memory.dmp

memory/828-32-0x0000000074D50000-0x0000000074E20000-memory.dmp

memory/828-25-0x0000000076D50000-0x0000000076F12000-memory.dmp

memory/828-24-0x0000000076D50000-0x0000000076F12000-memory.dmp

memory/5076-40-0x0000000002590000-0x00000000026AB000-memory.dmp

memory/5076-38-0x00000000024F0000-0x000000000258A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F58.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/4800-42-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4800-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4800-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39D8.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/828-48-0x0000000000150000-0x00000000008F8000-memory.dmp

memory/4800-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4506.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/828-47-0x0000000073280000-0x000000007396E000-memory.dmp

\Users\Admin\AppData\Local\Temp\4506.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/828-51-0x0000000005850000-0x0000000005D4E000-memory.dmp

memory/4552-53-0x0000000000400000-0x000000000043E000-memory.dmp

memory/828-55-0x0000000005250000-0x00000000052E2000-memory.dmp

memory/828-59-0x00000000054F0000-0x000000000558C000-memory.dmp

memory/5112-58-0x0000000002D70000-0x0000000002D76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4A08.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4A08.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/828-69-0x0000000005320000-0x000000000532A000-memory.dmp

memory/4552-64-0x0000000073280000-0x000000007396E000-memory.dmp

memory/5112-57-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/4552-70-0x000000000BA00000-0x000000000BA10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4552-84-0x000000000C6E0000-0x000000000CCE6000-memory.dmp

memory/4552-86-0x000000000C0D0000-0x000000000C1DA000-memory.dmp

memory/828-87-0x0000000076D50000-0x0000000076F12000-memory.dmp

memory/5112-89-0x0000000004B80000-0x0000000004C88000-memory.dmp

memory/828-90-0x0000000074D50000-0x0000000074E20000-memory.dmp

memory/4552-91-0x000000000B9C0000-0x000000000B9FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\51F8.exe

MD5 857ac8dd790b14faea8d78b89bc8dd94
SHA1 ae7c3fd80c405047b1666cf9ae9b0a42531dbeaa
SHA256 7a6df38fdcaf06344f469481a2a780d749d893ee5ab8ab83946b5222ec4aae77
SHA512 b9e7a7e9802a8fb25f9324843661c9d7348dde504084f15cbb65136bbe82208475ac3ca103c061832a92f37a42c0deaeda04a563b134f5b91b680eb9c829d2b3

memory/4552-96-0x000000000BA10000-0x000000000BA5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\51F8.exe

MD5 857ac8dd790b14faea8d78b89bc8dd94
SHA1 ae7c3fd80c405047b1666cf9ae9b0a42531dbeaa
SHA256 7a6df38fdcaf06344f469481a2a780d749d893ee5ab8ab83946b5222ec4aae77
SHA512 b9e7a7e9802a8fb25f9324843661c9d7348dde504084f15cbb65136bbe82208475ac3ca103c061832a92f37a42c0deaeda04a563b134f5b91b680eb9c829d2b3

memory/4552-88-0x000000000B960000-0x000000000B972000-memory.dmp

memory/828-85-0x0000000000150000-0x00000000008F8000-memory.dmp

memory/5112-98-0x0000000004C90000-0x0000000004D80000-memory.dmp

memory/5112-97-0x0000000004C90000-0x0000000004D80000-memory.dmp

memory/828-100-0x0000000074D50000-0x0000000074E20000-memory.dmp

memory/5112-102-0x0000000004C90000-0x0000000004D80000-memory.dmp

memory/828-106-0x0000000074D50000-0x0000000074E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D44.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\5D44.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2096-113-0x0000000000860000-0x0000000000960000-memory.dmp

memory/2096-114-0x00000000001F0000-0x00000000001FB000-memory.dmp

memory/2096-115-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/1648-118-0x0000000000580000-0x00000000005EB000-memory.dmp

memory/5112-117-0x0000000004C90000-0x0000000004D80000-memory.dmp

memory/1648-120-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/1648-121-0x0000000000580000-0x00000000005EB000-memory.dmp

C:\Users\Admin\AppData\Local\4a9ed65e-6a86-4302-93d7-ba3398f754d2\39D8.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/828-119-0x0000000073280000-0x000000007396E000-memory.dmp

memory/2748-124-0x0000000000D20000-0x0000000000D2C000-memory.dmp

memory/3652-125-0x0000000004DA0000-0x000000000519D000-memory.dmp

memory/4800-123-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2748-127-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/2748-128-0x0000000000D20000-0x0000000000D2C000-memory.dmp

memory/3652-126-0x00000000051A0000-0x0000000005A8B000-memory.dmp

memory/4800-142-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39D8.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3652-145-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1648-146-0x0000000000580000-0x00000000005EB000-memory.dmp

memory/4552-147-0x0000000073280000-0x000000007396E000-memory.dmp

memory/4552-148-0x000000000C1E0000-0x000000000C246000-memory.dmp

memory/4552-152-0x000000000BA00000-0x000000000BA10000-memory.dmp

memory/3136-155-0x00000000015C0000-0x00000000015D6000-memory.dmp

memory/2096-159-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2776-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2776-160-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39D8.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2776-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4696-154-0x00000000022F0000-0x000000000238A000-memory.dmp

memory/828-163-0x0000000005650000-0x000000000566C000-memory.dmp

memory/828-164-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-165-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-167-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-169-0x0000000005650000-0x0000000005665000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 22061ebf68e511c88c52bec0f270694b
SHA1 6bbe0fd64bba4d173cdf0cfa1f68a2a347055666
SHA256 024ed8d37e06b305400cdf68c5ed2ac0c96da077d516dac58fed962925ea10a5
SHA512 0a073c1238a884f35212fa6f3fe88930c651121cb2c5279e0cd15ade129c51c9250e89d55dce99cf9b833c23712bba9dc342e0858859cd1e40a0a467a2fdebe5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 246f80d949cf1501a4fed042cee5eaec
SHA1 d8bdf961bd8bac3751f4adf44cfe1d2868f62433
SHA256 a5201f640b532758a362730f2cf3f4149490c533e9735d354fd668e681a4eb1c
SHA512 f2c9a7dbe9c9dc039a6f9c468ec36d85cb26ad725744a0731d32916a67f8ae67f77306cefacfd249b6b692e45d68620da5c708c5b85b42eb43a33357d182020c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 165d33b9793b3e2c5fb63f4fffa1d26f
SHA1 adb5cfd13eee4a79465ba9783a25dbb692cc2868
SHA256 2fa7a601dbe1a7daaef0d6061c0fcc33c2f58171af3eacd3851d9a44c25a6791
SHA512 5160adb8cf7f7f261d4d3ea1dead21cc8d4c0eeec47b939f38171930f57537ac882e1399af153def3cb29bbebf16457ace262be44cad2b2089c5a1bc96d344e6

memory/828-175-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-177-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-179-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-181-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-183-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-185-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-187-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-189-0x0000000005650000-0x0000000005665000-memory.dmp

memory/828-191-0x0000000005650000-0x0000000005665000-memory.dmp

memory/2776-192-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2776-193-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3012-196-0x0000000000400000-0x000000000045A000-memory.dmp

memory/828-201-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/828-208-0x0000000000150000-0x00000000008F8000-memory.dmp

memory/3012-207-0x0000000073280000-0x000000007396E000-memory.dmp

memory/828-210-0x0000000076D50000-0x0000000076F12000-memory.dmp

memory/828-213-0x0000000074D50000-0x0000000074E20000-memory.dmp

memory/3012-217-0x000000000B550000-0x000000000B560000-memory.dmp

memory/828-218-0x0000000073280000-0x000000007396E000-memory.dmp

memory/3652-221-0x0000000004DA0000-0x000000000519D000-memory.dmp

memory/2776-229-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2776-232-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2776-234-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3652-237-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4876-245-0x0000000073280000-0x000000007396E000-memory.dmp

memory/3652-261-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_35fobood.xvn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2776-349-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build3.exe

MD5 cc6901a2665a3928d7547895d62e1bfd
SHA1 552303030ba53828fe3cdf725c44e84494f16de5
SHA256 1ef93ea88586bd708e6f8fe05622a4d7d481c327a822d9cc795ee6f4f31636d8
SHA512 9646389573b831dcdc65cdf83fdb9d7d715140050d55928dfaf3f31e23e2186bdef133c5a009039b80feb36e37d260823409636b5aeeea271dda30ab0e74539f

memory/2776-398-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4028-406-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4028-410-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\a2d55a4f-e1fb-4507-af82-f9ff684f6df7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/4028-413-0x0000000000400000-0x0000000000465000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\5D44.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Roaming\tfsjhtb

MD5 857ac8dd790b14faea8d78b89bc8dd94
SHA1 ae7c3fd80c405047b1666cf9ae9b0a42531dbeaa
SHA256 7a6df38fdcaf06344f469481a2a780d749d893ee5ab8ab83946b5222ec4aae77
SHA512 b9e7a7e9802a8fb25f9324843661c9d7348dde504084f15cbb65136bbe82208475ac3ca103c061832a92f37a42c0deaeda04a563b134f5b91b680eb9c829d2b3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 90f2958528f036abcae48d93ede6f8ce
SHA1 e5a6935d1c874d66766b83882e49db9d84be3b8a
SHA256 4a32fff3e568bf2d9ae0f88279de7009f7949d4030a3a0005e56171268b9f74b
SHA512 0c89f2b88e89c9b77a0e4d034513b82c70fa5c57ec976eb418202472eb5ab582e184abfe696927526da0dc687c14e24c9cee1d39432e5f7b4a67b60e0ad25b91

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4