Malware Analysis Report

2025-01-18 05:12

Sample ID 231016-vrjv9scf52
Target 999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785
SHA256 999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785
Tags
amadey djvu glupteba redline smokeloader vidar 13088c19c5a97b42d0d1d9573cc9f1b8 logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785

Threat Level: Known bad

The file 999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader vidar 13088c19c5a97b42d0d1d9573cc9f1b8 logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware stealer themida trojan

Glupteba payload

Glupteba

RedLine payload

Detected Djvu ransomware

Djvu Ransomware

Vidar

SmokeLoader

RedLine

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Deletes itself

Themida packer

Modifies file permissions

Checks whether UAC is enabled

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Checks SCSI registry key(s)

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Uses Task Scheduler COM API

outlook_win_path

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 17:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 17:13

Reported

2023-10-16 17:16

Platform

win10-20230915-en

Max time kernel

46s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6CEF.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6CEF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6CEF.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6abb4aae-4f69-4f28-9d0b-d02f26640baf\\6963.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6963.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6CEF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CEF.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2140 set thread context of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 4968 set thread context of 4088 N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6F9F.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\83D6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\83D6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\83D6.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3268 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 3268 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 3268 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 3268 wrote to memory of 3824 N/A N/A C:\Users\Admin\AppData\Local\Temp\6CEF.exe
PID 3268 wrote to memory of 3824 N/A N/A C:\Users\Admin\AppData\Local\Temp\6CEF.exe
PID 3268 wrote to memory of 3824 N/A N/A C:\Users\Admin\AppData\Local\Temp\6CEF.exe
PID 3268 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe
PID 3268 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe
PID 3268 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 2140 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Users\Admin\AppData\Local\Temp\6963.exe
PID 3268 wrote to memory of 5024 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3268 wrote to memory of 5024 N/A N/A C:\Windows\system32\regsvr32.exe
PID 5024 wrote to memory of 4092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5024 wrote to memory of 4092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5024 wrote to memory of 4092 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\6F9F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3268 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B88.exe
PID 3268 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B88.exe
PID 3268 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B88.exe
PID 4140 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\7B88.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4140 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\7B88.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4140 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\7B88.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3268 wrote to memory of 3264 N/A N/A C:\Users\Admin\AppData\Local\Temp\83D6.exe
PID 3268 wrote to memory of 3264 N/A N/A C:\Users\Admin\AppData\Local\Temp\83D6.exe
PID 3268 wrote to memory of 3264 N/A N/A C:\Users\Admin\AppData\Local\Temp\83D6.exe
PID 788 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 788 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 788 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 788 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Windows\SysWOW64\icacls.exe
PID 240 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Windows\SysWOW64\icacls.exe
PID 240 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\6963.exe C:\Windows\SysWOW64\icacls.exe
PID 3268 wrote to memory of 2500 N/A N/A C:\Windows\system32\netsh.exe
PID 3268 wrote to memory of 2500 N/A N/A C:\Windows\system32\netsh.exe
PID 3268 wrote to memory of 2500 N/A N/A C:\Windows\system32\netsh.exe
PID 3268 wrote to memory of 3188 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3268 wrote to memory of 3188 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3268 wrote to memory of 3188 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3268 wrote to memory of 3188 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3268 wrote to memory of 2480 N/A N/A C:\Windows\explorer.exe
PID 3268 wrote to memory of 2480 N/A N/A C:\Windows\explorer.exe
PID 3268 wrote to memory of 2480 N/A N/A C:\Windows\explorer.exe
PID 5088 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe

"C:\Users\Admin\AppData\Local\Temp\999cef5e52498f553c0fa9902608b29a85891d04f300854c7784cf7476e7a785.exe"

C:\Users\Admin\AppData\Local\Temp\6963.exe

C:\Users\Admin\AppData\Local\Temp\6963.exe

C:\Users\Admin\AppData\Local\Temp\6CEF.exe

C:\Users\Admin\AppData\Local\Temp\6CEF.exe

C:\Users\Admin\AppData\Local\Temp\6F9F.exe

C:\Users\Admin\AppData\Local\Temp\6F9F.exe

C:\Users\Admin\AppData\Local\Temp\6963.exe

C:\Users\Admin\AppData\Local\Temp\6963.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7609.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7609.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7B88.exe

C:\Users\Admin\AppData\Local\Temp\7B88.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 140

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\83D6.exe

C:\Users\Admin\AppData\Local\Temp\83D6.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6abb4aae-4f69-4f28-9d0b-d02f26640baf" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\8CEF.exe

C:\Users\Admin\AppData\Local\Temp\8CEF.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\6963.exe

"C:\Users\Admin\AppData\Local\Temp\6963.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\6963.exe

"C:\Users\Admin\AppData\Local\Temp\6963.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe

"C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe"

C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build3.exe

"C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build3.exe"

C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe

"C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\8CEF.exe

"C:\Users\Admin\AppData\Local\Temp\8CEF.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build3.exe

"C:\Users\Admin\AppData\Local\775b8dc6-b8e5-454a-a544-e9e53237da2b\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.1:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 104.21.86.8:443 tcp
RU 79.137.192.18:80 tcp
FR 146.59.161.13:39199 tcp
NL 142.251.36.35:80 tcp
US 188.114.97.1:443 api.2ip.ua tcp
ET 196.188.169.138:80 tcp
PA 190.141.134.150:80 colisumy.com tcp
US 8.8.8.8:53 138.169.188.196.in-addr.arpa udp
US 8.8.8.8:53 150.134.141.190.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
ET 196.188.169.138:80 zexeq.com tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
DE 94.130.189.55:7070 94.130.189.55 tcp
US 8.8.8.8:53 55.189.130.94.in-addr.arpa udp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 wirtshauspost.at udp
KR 115.88.24.200:80 wirtshauspost.at tcp
US 8.8.8.8:53 200.24.88.115.in-addr.arpa udp
KR 115.88.24.200:80 wirtshauspost.at tcp
FR 146.59.161.13:39199 tcp
KR 115.88.24.200:80 wirtshauspost.at tcp
KR 115.88.24.200:80 wirtshauspost.at tcp
KR 115.88.24.200:80 wirtshauspost.at tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 115.88.24.200:80 wirtshauspost.at tcp
KR 115.88.24.200:80 wirtshauspost.at tcp
FR 95.101.134.105:80 tcp
KR 115.88.24.200:80 wirtshauspost.at tcp
KR 115.88.24.200:80 wirtshauspost.at tcp
KR 115.88.24.200:80 wirtshauspost.at tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 cfa364cf-e003-4ea3-8387-720074ff6b35.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.21.21.57:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 91.215.85.17:80 tcp
US 8.8.8.8:53 udp
FR 146.59.161.13:39199 tcp

Files

memory/1644-1-0x0000000000A90000-0x0000000000B90000-memory.dmp

memory/1644-3-0x0000000000900000-0x000000000090B000-memory.dmp

memory/1644-2-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3268-4-0x0000000000840000-0x0000000000856000-memory.dmp

memory/1644-5-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6963.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\6963.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\6CEF.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\6CEF.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/3824-22-0x0000000000900000-0x00000000010A8000-memory.dmp

memory/3824-23-0x0000000075F90000-0x0000000076152000-memory.dmp

memory/3824-29-0x0000000075F90000-0x0000000076152000-memory.dmp

memory/3824-30-0x0000000076850000-0x0000000076920000-memory.dmp

memory/3824-31-0x0000000076850000-0x0000000076920000-memory.dmp

memory/3824-32-0x0000000076850000-0x0000000076920000-memory.dmp

memory/3824-33-0x00000000774C4000-0x00000000774C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F9F.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3824-25-0x0000000075F90000-0x0000000076152000-memory.dmp

memory/3824-24-0x0000000075F90000-0x0000000076152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F9F.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2140-40-0x0000000002540000-0x000000000265B000-memory.dmp

memory/2140-39-0x00000000024A0000-0x0000000002536000-memory.dmp

memory/240-41-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6963.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/240-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/240-43-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3824-47-0x0000000000900000-0x00000000010A8000-memory.dmp

memory/240-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7609.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3824-46-0x0000000073520000-0x0000000073C0E000-memory.dmp

\Users\Admin\AppData\Local\Temp\7609.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3824-51-0x0000000005EF0000-0x00000000063EE000-memory.dmp

memory/4092-52-0x00000000007F0000-0x00000000007F6000-memory.dmp

memory/3824-54-0x0000000005A90000-0x0000000005B22000-memory.dmp

memory/3824-59-0x0000000005C30000-0x0000000005CCC000-memory.dmp

memory/4088-57-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B88.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\7B88.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4092-53-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/4088-67-0x0000000073520000-0x0000000073C0E000-memory.dmp

memory/3824-70-0x0000000005A40000-0x0000000005A4A000-memory.dmp

memory/4088-71-0x0000000000E90000-0x0000000000EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4092-78-0x0000000004830000-0x0000000004938000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83D6.exe

MD5 7db5f7b5ec9b48a6b974021ca5539eb5
SHA1 15ec87aaf56d33e3477b62ad7ec8784031470131
SHA256 ee699486a44c9c1fd2f872f49d76c35bc509347d03a1f60d6fe7f631c1874bb5
SHA512 47d4d6bef985bb8fdada84e375b670d477271d954274250ddce9ff404f37d86aaf611ab36f28aae4bcc3ec906fb412a6527289289af78c1bd68775aeab6945ce

C:\Users\Admin\AppData\Local\Temp\83D6.exe

MD5 7db5f7b5ec9b48a6b974021ca5539eb5
SHA1 15ec87aaf56d33e3477b62ad7ec8784031470131
SHA256 ee699486a44c9c1fd2f872f49d76c35bc509347d03a1f60d6fe7f631c1874bb5
SHA512 47d4d6bef985bb8fdada84e375b670d477271d954274250ddce9ff404f37d86aaf611ab36f28aae4bcc3ec906fb412a6527289289af78c1bd68775aeab6945ce

memory/3824-86-0x0000000000900000-0x00000000010A8000-memory.dmp

memory/3824-87-0x0000000075F90000-0x0000000076152000-memory.dmp

memory/3824-88-0x0000000076850000-0x0000000076920000-memory.dmp

memory/4092-89-0x0000000004940000-0x0000000004A30000-memory.dmp

memory/4088-91-0x000000000BDE0000-0x000000000C3E6000-memory.dmp

memory/4092-93-0x0000000004940000-0x0000000004A30000-memory.dmp

memory/4088-94-0x000000000B110000-0x000000000B21A000-memory.dmp

memory/4088-96-0x000000000B020000-0x000000000B032000-memory.dmp

memory/4092-97-0x0000000004940000-0x0000000004A30000-memory.dmp

memory/4088-98-0x000000000B080000-0x000000000B0BE000-memory.dmp

memory/3824-99-0x0000000075F90000-0x0000000076152000-memory.dmp

memory/4088-102-0x000000000B0C0000-0x000000000B10B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8CEF.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\8CEF.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3188-107-0x0000000000800000-0x000000000086B000-memory.dmp

memory/3824-108-0x0000000076850000-0x0000000076920000-memory.dmp

memory/3824-109-0x0000000076850000-0x0000000076920000-memory.dmp

memory/3188-110-0x0000000000E90000-0x0000000000EA0000-memory.dmp

memory/2480-112-0x0000000000B00000-0x0000000000B0C000-memory.dmp

memory/3188-111-0x0000000000800000-0x000000000086B000-memory.dmp

memory/2480-115-0x0000000000B00000-0x0000000000B0C000-memory.dmp

memory/2480-118-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/2500-133-0x0000000004C90000-0x0000000005095000-memory.dmp

memory/3264-134-0x0000000000900000-0x000000000090B000-memory.dmp

memory/3264-135-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/240-136-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4092-137-0x0000000004940000-0x0000000004A30000-memory.dmp

memory/3824-139-0x0000000073520000-0x0000000073C0E000-memory.dmp

memory/3264-140-0x0000000000B50000-0x0000000000C50000-memory.dmp

C:\Users\Admin\AppData\Local\6abb4aae-4f69-4f28-9d0b-d02f26640baf\6963.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3188-142-0x0000000000800000-0x000000000086B000-memory.dmp

memory/2500-138-0x00000000051A0000-0x0000000005A8B000-memory.dmp

memory/2500-143-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/240-144-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6963.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/1312-149-0x0000000073520000-0x0000000073C0E000-memory.dmp

memory/1312-150-0x0000000006BE0000-0x0000000006C16000-memory.dmp

memory/1312-152-0x0000000006D40000-0x0000000006D50000-memory.dmp

memory/4088-151-0x0000000073520000-0x0000000073C0E000-memory.dmp

memory/4088-153-0x0000000000E90000-0x0000000000EA0000-memory.dmp

memory/1312-155-0x0000000007380000-0x00000000079A8000-memory.dmp

memory/1312-154-0x0000000006D40000-0x0000000006D50000-memory.dmp

memory/1312-156-0x00000000072F0000-0x0000000007312000-memory.dmp

memory/1312-159-0x0000000007C70000-0x0000000007CD6000-memory.dmp

memory/1312-157-0x0000000007B00000-0x0000000007B66000-memory.dmp

memory/1312-162-0x0000000007D20000-0x0000000008070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6963.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2444-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3824-167-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-170-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-168-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-174-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-172-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-177-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-184-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-186-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-192-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-194-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-190-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/3824-188-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/2444-195-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1312-198-0x0000000006F30000-0x0000000006F4C000-memory.dmp

memory/4932-197-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2444-196-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3824-204-0x0000000005DC0000-0x0000000005DD0000-memory.dmp

memory/3824-182-0x0000000005D40000-0x0000000005D55000-memory.dmp

memory/2444-206-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4932-205-0x0000000073520000-0x0000000073C0E000-memory.dmp

memory/3264-179-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2444-208-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2444-210-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3268-175-0x00000000008E0000-0x00000000008F6000-memory.dmp

memory/3824-165-0x0000000005D40000-0x0000000005D5C000-memory.dmp

memory/4812-163-0x00000000022F0000-0x0000000002385000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ryn5ulg4.mfu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2444-249-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2444-265-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2972-279-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2972-280-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2972-278-0x0000000000400000-0x0000000000465000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\8CEF.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\tawstsb

MD5 7db5f7b5ec9b48a6b974021ca5539eb5
SHA1 15ec87aaf56d33e3477b62ad7ec8784031470131
SHA256 ee699486a44c9c1fd2f872f49d76c35bc509347d03a1f60d6fe7f631c1874bb5
SHA512 47d4d6bef985bb8fdada84e375b670d477271d954274250ddce9ff404f37d86aaf611ab36f28aae4bcc3ec906fb412a6527289289af78c1bd68775aeab6945ce

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9532abced6c1fdb2bec38b681c9c58ed
SHA1 28c7a3118ffa5f275335d04d83cff85d72159773
SHA256 4bd3c7297ae6b7a95e30556b4476f169a868a61787d85f55232cd2c23aa632c9
SHA512 2b42217463849b89d3a9f7a758695c653d834712876c9878af1338aa6e37908f613ea5d88cdb83db7ce7d226a8031b2583b8c9303101074122d3770a2db6706c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7bb71fa6c5589cd4f4cf8800de7e1b7f
SHA1 f47b58b8f08bcc527f1148446f28a5a46661c1dd
SHA256 14cd118a6e83b1e2ba2dbd51ea3cfeee9ae1b958c95824396c11214ea06d6ce0
SHA512 394d7eb76ccaf61cf9f90443c099000f67ab7c4b4800842e3ab7ca709e42187380d5155c5da0f20c57a8805512d2455a11b6bee314a4f33e53b6fde0a083e7c2

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 75134e13d8eeda607856565a3a984257
SHA1 f0bb6cf7ca8e45e774ff3077fe5f1a060b72edeb
SHA256 f0de5b3c1c51afc455a0d03c2c75ba319cad5784ef7e91a228df68c32644aaa9
SHA512 aa7b2c5d5365dfdeef536c67a7199f689f4079c44e3d901c5247e5f1a5c5435a8d6c304d2092771d92205878e1b1eebdc79f0cd7a505e98e5f6933b89c2a28de

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bb0a3c1b852bedea3d66e43fcf02b79a
SHA1 19afe47c015fe7ba8ff12c86d7c6fcb7f10f83bc
SHA256 8538b1b464d8501621c2001a43a7cec137a7d703c4d72487c25369f9f5527883
SHA512 06bf03f2e657b609457b9d37a24e376d487bceb61c4fff29f054a63f60fc0d12455c9f3884701575d725cd941bf92daaca4a0c378db5177b5675a07aad9a745b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2dd54c7e1bdc56ce48afa21bbd44fced
SHA1 5446b44962efc18f242c3e2cc9af6b6ab5216428
SHA256 237bade4ec3f8a8407f67201d306c16015b6caff83d8065d5edbecad7128435c
SHA512 0ad7b0e479f4eb047e13835cf2aa36f243c0e0e1bb126ab9ab40678b0347fe3fc959ed4622c13015f3760d0bc51c4ae54723208ef8e6950898f20c95b0a05527

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5