Malware Analysis Report

2025-01-18 05:52

Sample ID 231016-vk87ksag6v
Target file.exe
SHA256 999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan rootkit spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan rootkit spyware upx

Amadey

Djvu Ransomware

RedLine payload

Detected Djvu ransomware

Glupteba payload

RedLine

SmokeLoader

Glupteba

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

Checks BIOS information in registry

Deletes itself

UPX packed file

Checks computer location settings

Loads dropped DLL

Themida packer

Modifies file permissions

Adds Run key to start application

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Manipulates WinMonFS driver.

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 17:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 17:04

Reported

2023-10-16 17:07

Platform

win7-20230831-en

Max time kernel

200s

Max time network

218s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5DCA.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5DCA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5DCA.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\490a7fc8-1484-4a83-92a4-44cd24eab270\\55FD.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\55FD.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5DCA.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5DCA.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\620F.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5DCA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 1280 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 1280 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 1280 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 1280 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DCA.exe
PID 1280 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DCA.exe
PID 1280 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DCA.exe
PID 1280 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DCA.exe
PID 2680 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\55FD.exe C:\Users\Admin\AppData\Local\Temp\55FD.exe
PID 1280 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\620F.exe
PID 1280 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\620F.exe
PID 1280 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\620F.exe
PID 1280 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\620F.exe
PID 1280 wrote to memory of 1216 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 1216 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 1216 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 1216 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 1216 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1216 wrote to memory of 2604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1216 wrote to memory of 2604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1216 wrote to memory of 2604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1216 wrote to memory of 2604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1216 wrote to memory of 2604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1216 wrote to memory of 2604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1216 wrote to memory of 2604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1280 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F2B.exe
PID 1280 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F2B.exe
PID 1280 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F2B.exe
PID 1280 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F2B.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\856A.exe
PID 1280 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\856A.exe
PID 1280 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\856A.exe
PID 1280 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\856A.exe
PID 2692 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2464 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 2464 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 2464 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 2464 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 2464 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\620F.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\55FD.exe

C:\Users\Admin\AppData\Local\Temp\55FD.exe

C:\Users\Admin\AppData\Local\Temp\55FD.exe

C:\Users\Admin\AppData\Local\Temp\55FD.exe

C:\Users\Admin\AppData\Local\Temp\5DCA.exe

C:\Users\Admin\AppData\Local\Temp\5DCA.exe

C:\Users\Admin\AppData\Local\Temp\620F.exe

C:\Users\Admin\AppData\Local\Temp\620F.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\66E1.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\66E1.dll

C:\Users\Admin\AppData\Local\Temp\6F2B.exe

C:\Users\Admin\AppData\Local\Temp\6F2B.exe

C:\Users\Admin\AppData\Local\Temp\856A.exe

C:\Users\Admin\AppData\Local\Temp\856A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 72

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\490a7fc8-1484-4a83-92a4-44cd24eab270" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016170736.log C:\Windows\Logs\CBS\CbsPersist_20231016170736.cab

C:\Users\Admin\AppData\Local\Temp\55FD.exe

"C:\Users\Admin\AppData\Local\Temp\55FD.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 31.41.244.27:41140 tcp
FR 146.59.161.13:39199 tcp
FR 146.59.161.13:39199 tcp

Files

memory/2776-1-0x0000000000870000-0x0000000000970000-memory.dmp

memory/2776-2-0x0000000000230000-0x000000000023B000-memory.dmp

memory/2776-3-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2776-4-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2776-6-0x0000000000230000-0x000000000023B000-memory.dmp

memory/2776-5-0x0000000000870000-0x0000000000970000-memory.dmp

memory/2776-8-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1280-7-0x0000000002200000-0x0000000002216000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55FD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\55FD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2680-24-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2680-25-0x0000000000310000-0x00000000003A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55FD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2680-29-0x0000000002150000-0x000000000226B000-memory.dmp

memory/2520-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\55FD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\5DCA.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2520-33-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55FD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2580-37-0x0000000000A10000-0x00000000011B8000-memory.dmp

memory/2680-38-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2520-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-41-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-43-0x0000000076350000-0x0000000076460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\620F.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\620F.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2580-50-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-51-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-52-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-53-0x0000000075E10000-0x0000000075E57000-memory.dmp

memory/2580-54-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-55-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-57-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-58-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-59-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-60-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-61-0x0000000076350000-0x0000000076460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\66E1.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2580-64-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-65-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-66-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-67-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-69-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-68-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-71-0x0000000077B60000-0x0000000077B62000-memory.dmp

memory/2580-72-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2520-73-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-70-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-62-0x0000000076350000-0x0000000076460000-memory.dmp

\Users\Admin\AppData\Local\Temp\66E1.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2604-75-0x0000000010000000-0x00000000101E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F2B.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2604-81-0x0000000002210000-0x0000000002318000-memory.dmp

memory/2604-82-0x0000000002320000-0x0000000002410000-memory.dmp

memory/2604-83-0x0000000002320000-0x0000000002410000-memory.dmp

memory/2604-85-0x0000000002320000-0x0000000002410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F2B.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2604-90-0x0000000002320000-0x0000000002410000-memory.dmp

memory/2716-91-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2716-92-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2716-93-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2716-94-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2716-95-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2604-96-0x0000000000190000-0x0000000000196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\856A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2716-102-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2580-97-0x0000000000A10000-0x00000000011B8000-memory.dmp

memory/2900-104-0x0000000004970000-0x0000000004D68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\856A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2716-107-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2716-109-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2580-110-0x0000000074A40000-0x000000007512E000-memory.dmp

memory/2900-113-0x0000000004D70000-0x000000000565B000-memory.dmp

memory/2900-114-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2900-115-0x0000000004970000-0x0000000004D68000-memory.dmp

memory/2716-116-0x0000000074A40000-0x000000007512E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\620F.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\620F.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\620F.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2464-125-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2464-126-0x0000000000490000-0x0000000000505000-memory.dmp

memory/2464-127-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2464-141-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2580-142-0x0000000005560000-0x00000000055A0000-memory.dmp

memory/2716-144-0x0000000000920000-0x0000000000960000-memory.dmp

memory/2580-149-0x0000000000A10000-0x00000000011B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2072-151-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2072-148-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2580-155-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-163-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-166-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-167-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-168-0x0000000075E10000-0x0000000075E57000-memory.dmp

memory/2580-169-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-170-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-171-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-172-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-173-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-174-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-175-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-176-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-177-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-178-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-179-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2580-180-0x0000000076350000-0x0000000076460000-memory.dmp

memory/2900-184-0x0000000000400000-0x0000000002FB8000-memory.dmp

\Users\Admin\AppData\Local\Temp\620F.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\856A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\490a7fc8-1484-4a83-92a4-44cd24eab270\55FD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2520-192-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2900-196-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2580-201-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-200-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-203-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-205-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-207-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-209-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-211-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-213-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-219-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-217-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-215-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-221-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/2580-223-0x00000000005E0000-0x00000000005F5000-memory.dmp

memory/3060-225-0x0000000000400000-0x000000000045A000-memory.dmp

\Users\Admin\AppData\Local\Temp\55FD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

\Users\Admin\AppData\Local\Temp\55FD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\55FD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-16 17:04

Reported

2023-10-16 17:07

Platform

win10v2004-20230915-en

Max time kernel

155s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\E05E.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\E05E.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\E05E.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EDDE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DD60.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e886411d-7be7-4178-b735-141f12f2b5b9\\DD60.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\DD60.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\E05E.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E05E.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\281A.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E05E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\281A.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3180 wrote to memory of 4860 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 3180 wrote to memory of 4860 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 3180 wrote to memory of 4860 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 3180 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\E05E.exe
PID 3180 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\E05E.exe
PID 3180 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\E05E.exe
PID 3180 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\Temp\E215.exe
PID 3180 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\Temp\E215.exe
PID 3180 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\Temp\E215.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 3180 wrote to memory of 2380 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3180 wrote to memory of 2380 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 4860 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Users\Admin\AppData\Local\Temp\DD60.exe
PID 2380 wrote to memory of 2200 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2380 wrote to memory of 2200 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2380 wrote to memory of 2200 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1412 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\E215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\E215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\E215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\E215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\E215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\E215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\E215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\E215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 1936 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDDE.exe
PID 3180 wrote to memory of 1936 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDDE.exe
PID 3180 wrote to memory of 1936 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDDE.exe
PID 1936 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EDDE.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1936 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EDDE.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1936 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EDDE.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 676 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 676 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3188 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3188 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3240 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Windows\SysWOW64\icacls.exe
PID 3240 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Windows\SysWOW64\icacls.exe
PID 3240 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\DD60.exe C:\Windows\SysWOW64\icacls.exe
PID 3188 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3188 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3188 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3188 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3188 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3188 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3188 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3188 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\DD60.exe

C:\Users\Admin\AppData\Local\Temp\DD60.exe

C:\Users\Admin\AppData\Local\Temp\E05E.exe

C:\Users\Admin\AppData\Local\Temp\E05E.exe

C:\Users\Admin\AppData\Local\Temp\E215.exe

C:\Users\Admin\AppData\Local\Temp\E215.exe

C:\Users\Admin\AppData\Local\Temp\DD60.exe

C:\Users\Admin\AppData\Local\Temp\DD60.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E63C.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E63C.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\EDDE.exe

C:\Users\Admin\AppData\Local\Temp\EDDE.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1412 -ip 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 272

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e886411d-7be7-4178-b735-141f12f2b5b9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\DD60.exe

"C:\Users\Admin\AppData\Local\Temp\DD60.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DD60.exe

"C:\Users\Admin\AppData\Local\Temp\DD60.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3328 -ip 3328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\281A.exe

C:\Users\Admin\AppData\Local\Temp\281A.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\281A.exe

"C:\Users\Admin\AppData\Local\Temp\281A.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 ec71a3e0-41b7-4c05-b4ed-57e5bd2af997.uuid.thestatsfiles.ru udp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 server5.thestatsfiles.ru udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server5.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
BG 185.82.216.96:443 server5.thestatsfiles.ru tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
FR 146.59.161.13:39199 tcp

Files

memory/4200-1-0x0000000000A30000-0x0000000000B30000-memory.dmp

memory/4200-2-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4200-3-0x00000000023D0000-0x00000000023DB000-memory.dmp

memory/3180-4-0x0000000002F20000-0x0000000002F36000-memory.dmp

memory/4200-5-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD60.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\DD60.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\E05E.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\E05E.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/772-22-0x00000000007D0000-0x0000000000F78000-memory.dmp

memory/772-23-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-24-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-27-0x00000000768A0000-0x0000000076990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E215.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/772-29-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-30-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-31-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-33-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-32-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/4860-37-0x0000000002500000-0x000000000261B000-memory.dmp

memory/4860-38-0x0000000002320000-0x00000000023BE000-memory.dmp

memory/772-35-0x0000000076F94000-0x0000000076F96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E215.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3240-45-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD60.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3240-43-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3240-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E63C.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3240-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/772-49-0x00000000007D0000-0x0000000000F78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E63C.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/1052-52-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3180-53-0x0000000007600000-0x0000000007610000-memory.dmp

memory/772-51-0x0000000005A20000-0x0000000005FC4000-memory.dmp

memory/3180-54-0x0000000007600000-0x0000000007610000-memory.dmp

memory/2200-56-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/1052-58-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/3180-57-0x0000000007600000-0x0000000007610000-memory.dmp

memory/772-55-0x0000000005350000-0x00000000053E2000-memory.dmp

memory/772-59-0x0000000005570000-0x000000000560C000-memory.dmp

memory/3180-63-0x0000000007610000-0x0000000007620000-memory.dmp

memory/3180-64-0x0000000007600000-0x0000000007610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDDE.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\EDDE.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3180-68-0x0000000007600000-0x0000000007610000-memory.dmp

memory/2200-67-0x0000000000A00000-0x0000000000A06000-memory.dmp

memory/3180-62-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-61-0x0000000007600000-0x0000000007610000-memory.dmp

memory/1052-73-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/772-74-0x0000000005310000-0x000000000531A000-memory.dmp

memory/3180-77-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-75-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-79-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-83-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/3180-86-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-81-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-82-0x0000000007600000-0x0000000007610000-memory.dmp

memory/1052-88-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

memory/3180-89-0x0000000007600000-0x0000000007610000-memory.dmp

memory/1052-84-0x0000000008C00000-0x0000000009218000-memory.dmp

memory/1052-98-0x0000000007DE0000-0x0000000007E1C000-memory.dmp

memory/2200-97-0x0000000002730000-0x0000000002838000-memory.dmp

memory/3180-104-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-106-0x0000000007600000-0x0000000007610000-memory.dmp

memory/1052-105-0x0000000007E20000-0x0000000007E6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3180-99-0x0000000007600000-0x0000000007610000-memory.dmp

memory/1052-90-0x0000000007D40000-0x0000000007D52000-memory.dmp

memory/3180-91-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-107-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-109-0x0000000007600000-0x0000000007610000-memory.dmp

memory/3180-108-0x0000000002F00000-0x0000000002F10000-memory.dmp

memory/772-110-0x00000000007D0000-0x0000000000F78000-memory.dmp

memory/772-111-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-112-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/2200-118-0x0000000002840000-0x0000000002930000-memory.dmp

memory/3180-117-0x0000000007600000-0x0000000007610000-memory.dmp

memory/2200-114-0x0000000002840000-0x0000000002930000-memory.dmp

memory/772-113-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-122-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/2200-123-0x0000000002840000-0x0000000002930000-memory.dmp

memory/772-124-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-120-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-128-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/772-129-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/2200-130-0x0000000002840000-0x0000000002930000-memory.dmp

C:\Users\Admin\AppData\Local\e886411d-7be7-4178-b735-141f12f2b5b9\DD60.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/1052-134-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/3240-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1052-136-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/3240-137-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD60.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3180-141-0x0000000002F00000-0x0000000002F10000-memory.dmp

memory/1556-142-0x0000000000AA0000-0x0000000000B38000-memory.dmp

memory/3328-145-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD60.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3328-146-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3328-148-0x0000000000400000-0x0000000000537000-memory.dmp

memory/772-149-0x0000000005710000-0x000000000572C000-memory.dmp

memory/772-150-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-151-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-153-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-155-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-157-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-159-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-161-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-163-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-165-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-167-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-169-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-171-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-173-0x0000000005710000-0x0000000005725000-memory.dmp

memory/772-179-0x0000000003180000-0x0000000003190000-memory.dmp

memory/4944-180-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4944-177-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/772-182-0x00000000768A0000-0x0000000076990000-memory.dmp

memory/4944-183-0x0000000007E10000-0x0000000007E20000-memory.dmp

memory/772-184-0x00000000007D0000-0x0000000000F78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\281A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\281A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3yygjzgc.o0n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\281A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9036cb35555f87f790265a0d95e567cf
SHA1 c27f8e4ea533c4f4861cb98d3588c54459afc99f
SHA256 d1b6db19a1a66faa30d2cb3c55c72278ee568b9bf4eec8bedbd2afcf5c6b43c4
SHA512 04ea6f417289c83f678a48ece2350b1ba9ff8027599a20217ac9a857eadbc770a5ce11052dd8aa900adfc433950d4b7c64b4474edb46ba08a4f6b73a3b90d109

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e07936013c6cde895b71d5d54c0527b4
SHA1 091423c9d24a32e335a223bc4c1dc3916639169a
SHA256 8b0b3562a097518111c2203f4f538330b0c9e5a5923ace998366e21b5a52a2fb
SHA512 2912f7496f0bcc6b4523c6b17e20670bb7915035e002d332d6495c09c22940fa89f9c5c22628a05294c853069a5c0e22084956e5cbc08622b7fe8165c269689c

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72b9e2f526f44fc780b4b80938971181
SHA1 a005123c9b05667750fe88eab569a58c67f3dcd3
SHA256 a534bc80f26fae4e272c509d5c7f38a61599c50c58395922e5e12e01b0458525
SHA512 2474307bf0755c57e60c1adaaaf5fd7bc3f594469f7d02ef047990acf9be65578184a3efc6376a77b57bc4b988b74cbb19e3d429c734f74e027fc75cd6ff3137

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 12c680fe5dfe4aae024f2813bab88084
SHA1 cb636f13f1b52139d469f02298f96042b98cf157
SHA256 50473f9dfcdbaa96269c26ce0764ec8b1a00227167c3c79fc4c19cd2587eff48
SHA512 50832aa74494ee3486701c0513d62698cbd3757b2588f8e146c488c48645eefb26796fe143a43f020c545ab6b87fd00c72e67ed08d940a21aaac920479d059f4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 865a17d1cdb73ad25c5d097629e8ac02
SHA1 2895dd067a0122f22434488e78c90265d7a86bf9
SHA256 9f201850c338b38e94a44ed41d6f764efec2a2602bf8f298cc51fb82f81a16b8
SHA512 3411f41e468d300a25dca7292e57a8a48a58ca46ab015b1ae6caaa6799964ee13ab55dce8661731ef1d0c90a7ee02a8aa26fb77030b307a2fe6fe969b396be8a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4