Malware Analysis Report

2025-01-18 06:23

Sample ID 231017-fqe4cshf21
Target d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449
SHA256 d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449

Threat Level: Known bad

The file d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan upx

RedLine

SmokeLoader

Djvu Ransomware

Glupteba

Detected Djvu ransomware

RedLine payload

Glupteba payload

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Deletes itself

Modifies file permissions

Checks BIOS information in registry

UPX packed file

Themida packer

Checks whether UAC is enabled

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Program crash

outlook_win_path

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 05:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 05:04

Reported

2023-10-17 05:07

Platform

win10v2004-20230915-en

Max time kernel

116s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2883.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2883.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2883.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3056.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2584.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3202e3fd-4846-4831-9e81-7dcf4939c2fd\\2584.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2584.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2883.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2883.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3410.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3410.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3410.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3B06.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3410.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2883.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeImpersonatePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 4624 N/A N/A C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 2624 wrote to memory of 4624 N/A N/A C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 2624 wrote to memory of 4624 N/A N/A C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 2624 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\2883.exe
PID 2624 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\2883.exe
PID 2624 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\2883.exe
PID 2624 wrote to memory of 1904 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2624 wrote to memory of 1904 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2624 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Temp\2CAC.exe
PID 2624 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Temp\2CAC.exe
PID 2624 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Temp\2CAC.exe
PID 1904 wrote to memory of 2568 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1904 wrote to memory of 2568 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1904 wrote to memory of 2568 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\3056.exe
PID 2624 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\3056.exe
PID 2624 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\3056.exe
PID 2624 wrote to memory of 4632 N/A N/A C:\Users\Admin\AppData\Local\Temp\3410.exe
PID 2624 wrote to memory of 4632 N/A N/A C:\Users\Admin\AppData\Local\Temp\3410.exe
PID 2624 wrote to memory of 4632 N/A N/A C:\Users\Admin\AppData\Local\Temp\3410.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 4624 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 2624 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B06.exe
PID 2624 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B06.exe
PID 2624 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B06.exe
PID 2624 wrote to memory of 4792 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2624 wrote to memory of 4792 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2624 wrote to memory of 4792 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2624 wrote to memory of 4792 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2624 wrote to memory of 4176 N/A N/A C:\Windows\explorer.exe
PID 2624 wrote to memory of 4176 N/A N/A C:\Windows\explorer.exe
PID 2624 wrote to memory of 4176 N/A N/A C:\Windows\explorer.exe
PID 5000 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3056.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 5000 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3056.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 5000 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3056.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2864 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2864 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2864 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2864 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Windows\SysWOW64\icacls.exe
PID 620 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Windows\SysWOW64\icacls.exe
PID 620 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Windows\SysWOW64\icacls.exe
PID 2068 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2068 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2068 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 620 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 620 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 620 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2584.exe C:\Users\Admin\AppData\Local\Temp\2584.exe
PID 2068 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2068 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2068 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449.exe

"C:\Users\Admin\AppData\Local\Temp\d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449.exe"

C:\Users\Admin\AppData\Local\Temp\2584.exe

C:\Users\Admin\AppData\Local\Temp\2584.exe

C:\Users\Admin\AppData\Local\Temp\2883.exe

C:\Users\Admin\AppData\Local\Temp\2883.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2B43.dll

C:\Users\Admin\AppData\Local\Temp\2CAC.exe

C:\Users\Admin\AppData\Local\Temp\2CAC.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2B43.dll

C:\Users\Admin\AppData\Local\Temp\3056.exe

C:\Users\Admin\AppData\Local\Temp\3056.exe

C:\Users\Admin\AppData\Local\Temp\3410.exe

C:\Users\Admin\AppData\Local\Temp\3410.exe

C:\Users\Admin\AppData\Local\Temp\2584.exe

C:\Users\Admin\AppData\Local\Temp\2584.exe

C:\Users\Admin\AppData\Local\Temp\3B06.exe

C:\Users\Admin\AppData\Local\Temp\3B06.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3202e3fd-4846-4831-9e81-7dcf4939c2fd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\2584.exe

"C:\Users\Admin\AppData\Local\Temp\2584.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\2584.exe

"C:\Users\Admin\AppData\Local\Temp\2584.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 384 -ip 384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3B06.exe

"C:\Users\Admin\AppData\Local\Temp\3B06.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\78B8.exe

C:\Users\Admin\AppData\Local\Temp\78B8.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 556 -ip 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 wirtshauspost.at udp
MX 201.124.243.137:80 wirtshauspost.at tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 137.243.124.201.in-addr.arpa udp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
US 8.8.8.8:53 rummygoplay.in udp
IN 103.251.94.112:443 rummygoplay.in tcp
US 8.8.8.8:53 112.94.251.103.in-addr.arpa udp
GB 145.239.200.147:30225 tcp
US 8.8.8.8:53 147.200.239.145.in-addr.arpa udp
MX 201.124.243.137:80 wirtshauspost.at tcp
US 8.8.8.8:53 79654ca9-ff79-4149-a309-2c8bbf3a6c78.uuid.thestatsfiles.ru udp
MX 201.124.243.137:80 wirtshauspost.at tcp
MX 201.124.243.137:80 wirtshauspost.at tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 server5.thestatsfiles.ru udp
US 8.8.8.8:53 stun.ipfire.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server5.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
BG 185.82.216.96:443 server5.thestatsfiles.ru tcp

Files

memory/4224-1-0x0000000000750000-0x0000000000850000-memory.dmp

memory/4224-2-0x00000000022F0000-0x00000000022FB000-memory.dmp

memory/4224-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2624-4-0x00000000033D0000-0x00000000033E6000-memory.dmp

memory/4224-5-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/4224-8-0x00000000022F0000-0x00000000022FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2584.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\2584.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\2883.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\2883.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2732-23-0x0000000000370000-0x0000000000B18000-memory.dmp

memory/2732-24-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2732-25-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2732-27-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2732-29-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2732-33-0x0000000076E70000-0x0000000076F60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2CAC.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/2732-37-0x0000000077594000-0x0000000077596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2CAC.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\2B43.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2732-31-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2732-28-0x0000000076E70000-0x0000000076F60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3056.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3056.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4624-45-0x0000000002650000-0x00000000026EE000-memory.dmp

memory/4624-46-0x0000000002720000-0x000000000283B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3410.exe

MD5 3895d07bfb5a0c1cb26ef24d2c553989
SHA1 f078569e790ace042d36afba62c2211fb44f22c0
SHA256 e0ee00747457d941d77ba99878dcecbec2544d6181a158537a5eceb5ac4d786c
SHA512 63505baeac8169ae5726d8e24a85a576ed31c63bd18c34a032988451132d4d179c753ed58655a049d35f6c2e09d6073206d27007b85e45f66754aee92e21c05d

C:\Users\Admin\AppData\Local\Temp\3410.exe

MD5 3895d07bfb5a0c1cb26ef24d2c553989
SHA1 f078569e790ace042d36afba62c2211fb44f22c0
SHA256 e0ee00747457d941d77ba99878dcecbec2544d6181a158537a5eceb5ac4d786c
SHA512 63505baeac8169ae5726d8e24a85a576ed31c63bd18c34a032988451132d4d179c753ed58655a049d35f6c2e09d6073206d27007b85e45f66754aee92e21c05d

memory/4632-54-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4632-55-0x0000000000640000-0x000000000064B000-memory.dmp

memory/4632-56-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/620-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/620-59-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2584.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\2B43.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

C:\Users\Admin\AppData\Local\Temp\3B06.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\3B06.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/620-62-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2732-69-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2732-70-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2732-68-0x0000000000370000-0x0000000000B18000-memory.dmp

memory/2568-72-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/620-73-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2732-75-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/4792-76-0x0000000000480000-0x00000000004EB000-memory.dmp

memory/2732-78-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2568-77-0x0000000001090000-0x0000000001096000-memory.dmp

memory/4176-79-0x0000000000E90000-0x0000000000E9C000-memory.dmp

memory/2732-80-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/4176-84-0x0000000000E90000-0x0000000000E9C000-memory.dmp

memory/4792-82-0x0000000000480000-0x00000000004EB000-memory.dmp

memory/2732-81-0x0000000000370000-0x0000000000B18000-memory.dmp

memory/2732-87-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2732-91-0x0000000076E70000-0x0000000076F60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4792-95-0x00000000004F0000-0x0000000000570000-memory.dmp

memory/2732-71-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/2732-106-0x0000000005C30000-0x00000000061D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2624-116-0x0000000003600000-0x0000000003616000-memory.dmp

memory/4632-120-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2600-121-0x0000000004CA0000-0x00000000050A3000-memory.dmp

memory/2732-123-0x0000000005820000-0x00000000058BC000-memory.dmp

memory/2732-119-0x0000000005680000-0x0000000005712000-memory.dmp

memory/2600-124-0x00000000050B0000-0x000000000599B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2568-125-0x0000000002D80000-0x0000000002E88000-memory.dmp

memory/2568-128-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/4792-127-0x0000000000480000-0x00000000004EB000-memory.dmp

memory/2600-126-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2732-132-0x0000000005650000-0x000000000565A000-memory.dmp

memory/2568-133-0x0000000002E90000-0x0000000002F80000-memory.dmp

memory/2568-137-0x0000000002E90000-0x0000000002F80000-memory.dmp

memory/2568-139-0x0000000002E90000-0x0000000002F80000-memory.dmp

memory/620-141-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-143-0x0000000002E90000-0x0000000002F80000-memory.dmp

memory/2600-142-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\3202e3fd-4846-4831-9e81-7dcf4939c2fd\2584.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/620-145-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2584.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/620-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-151-0x0000000004CA0000-0x00000000050A3000-memory.dmp

memory/4716-153-0x0000000000900000-0x0000000000998000-memory.dmp

memory/2600-152-0x00000000050B0000-0x000000000599B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2584.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/384-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/384-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/384-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2732-161-0x0000000005A60000-0x0000000005A7C000-memory.dmp

memory/2600-160-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2732-162-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-163-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-165-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2600-167-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2732-168-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-170-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-172-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-174-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-176-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-178-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-180-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-182-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-184-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/2732-186-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/4748-187-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2732-193-0x0000000005960000-0x0000000005970000-memory.dmp

memory/2732-191-0x0000000000370000-0x0000000000B18000-memory.dmp

memory/4748-190-0x0000000074190000-0x0000000074940000-memory.dmp

memory/2732-192-0x0000000076E70000-0x0000000076F60000-memory.dmp

memory/4748-194-0x00000000074C0000-0x00000000074D0000-memory.dmp

memory/4748-197-0x00000000083D0000-0x00000000089E8000-memory.dmp

memory/4748-198-0x0000000007510000-0x0000000007522000-memory.dmp

memory/4748-199-0x0000000007640000-0x000000000774A000-memory.dmp

memory/4748-200-0x0000000007570000-0x00000000075AC000-memory.dmp

memory/3328-202-0x0000000074190000-0x0000000074940000-memory.dmp

memory/3328-203-0x0000000005070000-0x0000000005080000-memory.dmp

memory/4748-201-0x00000000075D0000-0x000000000761C000-memory.dmp

memory/3328-204-0x0000000004EF0000-0x0000000004F26000-memory.dmp

memory/3328-205-0x00000000056B0000-0x0000000005CD8000-memory.dmp

memory/2600-206-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4748-207-0x0000000074190000-0x0000000074940000-memory.dmp

C:\Users\Admin\AppData\Roaming\vbjrsjr

MD5 3895d07bfb5a0c1cb26ef24d2c553989
SHA1 f078569e790ace042d36afba62c2211fb44f22c0
SHA256 e0ee00747457d941d77ba99878dcecbec2544d6181a158537a5eceb5ac4d786c
SHA512 63505baeac8169ae5726d8e24a85a576ed31c63bd18c34a032988451132d4d179c753ed58655a049d35f6c2e09d6073206d27007b85e45f66754aee92e21c05d

memory/3328-211-0x0000000005CE0000-0x0000000005D02000-memory.dmp

memory/3328-212-0x0000000005D80000-0x0000000005DE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cf3cygsn.prg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2600-248-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B06.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2600-264-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/5092-297-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/552-298-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 4fd6b3a467056385abd8ed1f85da0fa2
SHA1 4c42cd69ac787622af8b0748cb72b76911f9ff76
SHA256 5e9fcb024a6b188bad3226ea736d4b95df2a5cc6b493e0fab951c5bc051fbfec
SHA512 525067ffa8c9ef372255eaf264114971590a64cd06302e33ef89d5465eded3a1579b8b79efa1b445e593fa2cd907ed3394b4f1193c0ed63157ed5f06d4889289

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb182f415e2bde96fc9c502d6bc58dd6
SHA1 1bab1463d7f1e437a1f4dc697281bce8c09b231e
SHA256 3fcdc75ba648ff17874885e3be39358d5c5537d564d5bef4e840416868b581cf
SHA512 c8d0747c959a480639cd388d51198bb4a9a05fc5746460f72299c58a6a5332ec1cd2c6ae914c0b440d51e82d6a5e4550b47fe9b5a67fae5f1df0355f80138f95

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 61f68f9514778f806a35f3e930a694fc
SHA1 346054fa92ed08b43aaee020bc8602ee4386352e
SHA256 9658e9e163f80438e4a906ad3daf36c2e8766e5a8a3faea78435819f72006456
SHA512 e0630bbf1a8ada29daeda8f11c72b63e7cbba64998f2e31da926f01e74e9d720f9eef1eeb914479b689a4e4b9b1fb99d5173256d4eaad3cb4b1ef7e23c5e4b6f

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3e2e7031c9ec99cfe1d1a6ba2edb0c2e
SHA1 338acb7ba902a6f9395cd52ddfe2dc49a65e1356
SHA256 212459457ae4eb2f62a67ab1aa033ad6beca77c9571d7313eccfea8595bc9e06
SHA512 d4ad13cdde0eb58e69148cb1f16d282170c47c1aca0ea98b888947da4921ec27f3dc217f1f76f6ebbbcf8647785765083c9a696d72fb143249d16b7eec6c8da4

C:\Users\Admin\AppData\Local\Temp\78B8.exe

MD5 8d38f8b980d56c87dbca7c6abdca7a54
SHA1 5452edceb0fd59a7336da1aaad0b007e72b8b03d
SHA256 de41d77e137dd2ae35d5623085bcc3a9e46957ce7dfec655693c7c3120aaeeb9
SHA512 6fa6d2cb1a68429a11675cc1765090761cf55fc811eba6fa140e13d984ab36c84bfd1d7fe7d9df25e2b2a82eac35ec2818d16be8818e8012b5b489bee4b123b3

C:\Users\Admin\AppData\Local\Temp\78B8.exe

MD5 8d38f8b980d56c87dbca7c6abdca7a54
SHA1 5452edceb0fd59a7336da1aaad0b007e72b8b03d
SHA256 de41d77e137dd2ae35d5623085bcc3a9e46957ce7dfec655693c7c3120aaeeb9
SHA512 6fa6d2cb1a68429a11675cc1765090761cf55fc811eba6fa140e13d984ab36c84bfd1d7fe7d9df25e2b2a82eac35ec2818d16be8818e8012b5b489bee4b123b3

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 8d38f8b980d56c87dbca7c6abdca7a54
SHA1 5452edceb0fd59a7336da1aaad0b007e72b8b03d
SHA256 de41d77e137dd2ae35d5623085bcc3a9e46957ce7dfec655693c7c3120aaeeb9
SHA512 6fa6d2cb1a68429a11675cc1765090761cf55fc811eba6fa140e13d984ab36c84bfd1d7fe7d9df25e2b2a82eac35ec2818d16be8818e8012b5b489bee4b123b3

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 8d38f8b980d56c87dbca7c6abdca7a54
SHA1 5452edceb0fd59a7336da1aaad0b007e72b8b03d
SHA256 de41d77e137dd2ae35d5623085bcc3a9e46957ce7dfec655693c7c3120aaeeb9
SHA512 6fa6d2cb1a68429a11675cc1765090761cf55fc811eba6fa140e13d984ab36c84bfd1d7fe7d9df25e2b2a82eac35ec2818d16be8818e8012b5b489bee4b123b3

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 8d38f8b980d56c87dbca7c6abdca7a54
SHA1 5452edceb0fd59a7336da1aaad0b007e72b8b03d
SHA256 de41d77e137dd2ae35d5623085bcc3a9e46957ce7dfec655693c7c3120aaeeb9
SHA512 6fa6d2cb1a68429a11675cc1765090761cf55fc811eba6fa140e13d984ab36c84bfd1d7fe7d9df25e2b2a82eac35ec2818d16be8818e8012b5b489bee4b123b3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5fc161cdb0bda6bdaaae85717af5f05d
SHA1 e97cc8610833e9d5d1e09739617d0920144aa83a
SHA256 e8fb2275826c148e2160b0531dfd94c0ff27cd3ea687fa45515c989b5e225769
SHA512 0f1def446b9b6c732734d7212838b22cf6c736e99f366b1e07db58f215683aaec06729805310930c4ab44ce2d820794e6ba6b2a216f6a9a09ed25ffa68bb4a12

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6f24c815f77a825c7776e9db56863b4b
SHA1 9dc00d5df889fee31e0765e8b1614dc8b8af96be
SHA256 fbded3c112458efd6b5970f331ea409024f3bcaf7382b1dcc2856f5c824429a3
SHA512 0a3f833f35f4e81a6b2de43aeed7bbdcb7ca657c2ddb51e1acd9d0ee66887b17d7fe4c3b9c454017f3af37c4db6376bcbbc98b3d057e8ec3655f355d8351f6e8

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec