Malware Analysis Report

2025-01-18 05:07

Sample ID 231017-j4zlpscb27
Target file.exe
SHA256 9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67c
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 rootkit spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67c

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 rootkit spyware upx

Djvu Ransomware

Amadey

RedLine payload

Detected Djvu ransomware

RedLine

Glupteba payload

Glupteba

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Themida packer

Deletes itself

Modifies file permissions

Loads dropped DLL

UPX packed file

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Manipulates WinMonFS driver.

Accesses Microsoft Outlook profiles

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

outlook_win_path

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 08:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 08:14

Reported

2023-10-17 08:20

Platform

win7-20230831-en

Max time kernel

272s

Max time network

294s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DFF4.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DFF4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DFF4.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB06.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\22b35e4f-fb08-4593-9fb8-87030b9f5ff6\\DCD8.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\DCD8.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\DFF4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFF4.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2928 set thread context of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2592 set thread context of 1800 N/A C:\Users\Admin\AppData\Local\Temp\EAFE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hhgrgir N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hhgrgir N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hhgrgir N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hhgrgir N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 1264 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 1264 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 1264 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 1264 wrote to memory of 1076 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFF4.exe
PID 1264 wrote to memory of 1076 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFF4.exe
PID 1264 wrote to memory of 1076 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFF4.exe
PID 1264 wrote to memory of 1076 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFF4.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 2928 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\DCD8.exe C:\Users\Admin\AppData\Local\Temp\DCD8.exe
PID 1264 wrote to memory of 2132 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1264 wrote to memory of 2132 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1264 wrote to memory of 2132 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1264 wrote to memory of 2132 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1264 wrote to memory of 2132 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1264 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\EAFE.exe
PID 1264 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\EAFE.exe
PID 1264 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\EAFE.exe
PID 1264 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\EAFE.exe
PID 2132 wrote to memory of 2864 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2864 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2864 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2864 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2864 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2864 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2864 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1264 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB06.exe
PID 1264 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB06.exe
PID 1264 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB06.exe
PID 1264 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB06.exe
PID 1772 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\FB06.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1772 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\FB06.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1772 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\FB06.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1772 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\FB06.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1684 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1684 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1684 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1684 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\1367.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\1367.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\1367.exe
PID 1264 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\Temp\1367.exe
PID 1684 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 1604 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 1604 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 1604 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 1604 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 1604 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2136 N/A N/A C:\Windows\explorer.exe
PID 1264 wrote to memory of 2136 N/A N/A C:\Windows\explorer.exe
PID 1264 wrote to memory of 2136 N/A N/A C:\Windows\explorer.exe
PID 1264 wrote to memory of 2136 N/A N/A C:\Windows\explorer.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\DCD8.exe

C:\Users\Admin\AppData\Local\Temp\DCD8.exe

C:\Users\Admin\AppData\Local\Temp\DFF4.exe

C:\Users\Admin\AppData\Local\Temp\DFF4.exe

C:\Users\Admin\AppData\Local\Temp\DCD8.exe

C:\Users\Admin\AppData\Local\Temp\DCD8.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E562.dll

C:\Users\Admin\AppData\Local\Temp\EAFE.exe

C:\Users\Admin\AppData\Local\Temp\EAFE.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E562.dll

C:\Users\Admin\AppData\Local\Temp\FB06.exe

C:\Users\Admin\AppData\Local\Temp\FB06.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\1367.exe

C:\Users\Admin\AppData\Local\Temp\1367.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\22b35e4f-fb08-4593-9fb8-87030b9f5ff6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\system32\taskeng.exe

taskeng.exe {20543EAC-2848-40F2-AC32-F5CEF6945CF0} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\hhgrgir

C:\Users\Admin\AppData\Roaming\hhgrgir

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.97.0:443 api.2ip.ua tcp

Files

memory/2632-1-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2632-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2632-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2632-4-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2632-5-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2632-6-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2632-7-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1264-8-0x00000000029E0000-0x00000000029F6000-memory.dmp

memory/2632-9-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCD8.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\DCD8.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\DFF4.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/1076-28-0x0000000000FF0000-0x0000000001798000-memory.dmp

memory/2928-29-0x00000000002C0000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCD8.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\DCD8.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2488-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2488-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2928-40-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/2928-42-0x00000000020E0000-0x00000000021FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCD8.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1076-41-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-37-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-44-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-46-0x00000000772C0000-0x0000000077307000-memory.dmp

memory/1076-47-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-48-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-52-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-51-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-50-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-49-0x0000000076FA0000-0x00000000770B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E562.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/1076-53-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-54-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-55-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-57-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-58-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-59-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-60-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-61-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-62-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAFE.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\EAFE.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/2488-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2488-76-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\FB06.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\FB06.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1076-80-0x0000000000FF0000-0x0000000001798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\1367.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\1367.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2820-91-0x0000000004960000-0x0000000004D58000-memory.dmp

memory/1076-94-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-93-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-95-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-96-0x00000000772C0000-0x0000000077307000-memory.dmp

memory/1076-97-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-98-0x0000000076FA0000-0x00000000770B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2136-100-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1076-101-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-102-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-103-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/2136-104-0x0000000000060000-0x000000000006C000-memory.dmp

\Users\Admin\AppData\Local\Temp\E562.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/1076-106-0x0000000074960000-0x000000007504E000-memory.dmp

memory/2820-109-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2820-110-0x0000000004960000-0x0000000004D58000-memory.dmp

memory/2820-113-0x0000000004D60000-0x000000000564B000-memory.dmp

memory/1076-114-0x0000000076FA0000-0x00000000770B0000-memory.dmp

memory/1076-115-0x0000000000FF0000-0x0000000001798000-memory.dmp

memory/1604-117-0x0000000000210000-0x0000000000285000-memory.dmp

memory/1604-116-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1604-130-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2864-132-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2864-131-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/2820-134-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1076-138-0x0000000074960000-0x000000007504E000-memory.dmp

memory/2864-139-0x0000000002210000-0x0000000002318000-memory.dmp

memory/2864-140-0x0000000002320000-0x0000000002410000-memory.dmp

memory/2864-141-0x0000000002320000-0x0000000002410000-memory.dmp

memory/2864-144-0x0000000002320000-0x0000000002410000-memory.dmp

memory/2864-147-0x0000000002320000-0x0000000002410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1367.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1800-163-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1800-164-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1800-165-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1800-166-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1800-167-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1800-168-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1800-172-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2488-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1800-174-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1800-175-0x0000000074960000-0x000000007504E000-memory.dmp

C:\Users\Admin\AppData\Local\22b35e4f-fb08-4593-9fb8-87030b9f5ff6\DCD8.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Roaming\hhgrgir

MD5 d4b940476375ed88a0584e75675617c6
SHA1 828919c12272cf7fb56eb9952b72c07912635d95
SHA256 9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67c
SHA512 289b540a353bffdcfa14f6370a0db29bcf89a5f5e4fa8e0c295e07803e1b0ed3a9a9261d47f4aa146bbd69dfa0984d8aca9c5706ed9e655642c0c4b2337e6c90

C:\Users\Admin\AppData\Roaming\hhgrgir

MD5 d4b940476375ed88a0584e75675617c6
SHA1 828919c12272cf7fb56eb9952b72c07912635d95
SHA256 9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67c
SHA512 289b540a353bffdcfa14f6370a0db29bcf89a5f5e4fa8e0c295e07803e1b0ed3a9a9261d47f4aa146bbd69dfa0984d8aca9c5706ed9e655642c0c4b2337e6c90

memory/2820-180-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2444-190-0x0000000000720000-0x0000000000820000-memory.dmp

memory/2444-191-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1800-189-0x00000000073A0000-0x00000000073E0000-memory.dmp

memory/1076-188-0x0000000005050000-0x0000000005090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1264-193-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/2444-196-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2488-197-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2820-198-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1800-199-0x0000000074960000-0x000000007504E000-memory.dmp

memory/1076-200-0x0000000005050000-0x0000000005090000-memory.dmp

memory/1800-201-0x00000000073A0000-0x00000000073E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-17 08:14

Reported

2023-10-17 08:17

Platform

win10v2004-20230915-en

Max time kernel

153s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\E773.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\E773.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\E773.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F2D0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E4E2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\072bfbe8-0662-462c-bd22-7fda1ce1b4b3\\E4E2.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E4E2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\E773.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E773.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F7F2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F7F2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F7F2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F7F2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E773.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4D3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 3156 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 3156 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 3156 wrote to memory of 4980 N/A N/A C:\Users\Admin\AppData\Local\Temp\E773.exe
PID 3156 wrote to memory of 4980 N/A N/A C:\Users\Admin\AppData\Local\Temp\E773.exe
PID 3156 wrote to memory of 4980 N/A N/A C:\Users\Admin\AppData\Local\Temp\E773.exe
PID 3156 wrote to memory of 2184 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3156 wrote to memory of 2184 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3156 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB4D.exe
PID 3156 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB4D.exe
PID 3156 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB4D.exe
PID 2184 wrote to memory of 4920 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2184 wrote to memory of 4920 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2184 wrote to memory of 4920 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 1892 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 3156 wrote to memory of 3116 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2D0.exe
PID 3156 wrote to memory of 3116 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2D0.exe
PID 3156 wrote to memory of 3116 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2D0.exe
PID 3156 wrote to memory of 1980 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7F2.exe
PID 3156 wrote to memory of 1980 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7F2.exe
PID 3156 wrote to memory of 1980 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7F2.exe
PID 3116 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\F2D0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3116 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\F2D0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3116 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\F2D0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4892 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4892 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4892 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4892 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D3.exe
PID 3156 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D3.exe
PID 3156 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D3.exe
PID 3156 wrote to memory of 1280 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 1280 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 1280 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 1280 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 208 N/A N/A C:\Windows\explorer.exe
PID 3156 wrote to memory of 208 N/A N/A C:\Windows\explorer.exe
PID 3156 wrote to memory of 208 N/A N/A C:\Windows\explorer.exe
PID 752 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Windows\SysWOW64\icacls.exe
PID 752 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Windows\SysWOW64\icacls.exe
PID 752 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Windows\SysWOW64\icacls.exe
PID 1684 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1684 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1684 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1684 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1684 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1684 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 752 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 752 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe
PID 752 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\E4E2.exe C:\Users\Admin\AppData\Local\Temp\E4E2.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

C:\Users\Admin\AppData\Local\Temp\E773.exe

C:\Users\Admin\AppData\Local\Temp\E773.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E987.dll

C:\Users\Admin\AppData\Local\Temp\EB4D.exe

C:\Users\Admin\AppData\Local\Temp\EB4D.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E987.dll

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

C:\Users\Admin\AppData\Local\Temp\F2D0.exe

C:\Users\Admin\AppData\Local\Temp\F2D0.exe

C:\Users\Admin\AppData\Local\Temp\F7F2.exe

C:\Users\Admin\AppData\Local\Temp\F7F2.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\4D3.exe

C:\Users\Admin\AppData\Local\Temp\4D3.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\072bfbe8-0662-462c-bd22-7fda1ce1b4b3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

"C:\Users\Admin\AppData\Local\Temp\E4E2.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

"C:\Users\Admin\AppData\Local\Temp\E4E2.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\4D3.exe

"C:\Users\Admin\AppData\Local\Temp\4D3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
PE 190.187.52.42:80 wirtshauspost.at tcp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
GB 145.239.200.147:30225 tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
US 8.8.8.8:53 147.200.239.145.in-addr.arpa udp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
PE 190.187.52.42:80 wirtshauspost.at tcp
FI 91.217.76.230:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0f408a1f-3c46-479f-9c95-2e1fa97697ef.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server12.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.128.127:19302 stun.l.google.com udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp

Files

memory/2040-1-0x0000000000800000-0x0000000000900000-memory.dmp

memory/2040-2-0x0000000000750000-0x000000000075B000-memory.dmp

memory/2040-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3156-4-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2040-5-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2040-8-0x0000000000750000-0x000000000075B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\E773.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\E773.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/4980-23-0x0000000000400000-0x0000000000BA8000-memory.dmp

memory/4980-24-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-25-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-26-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-28-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-30-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-29-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-31-0x0000000076C20000-0x0000000076D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E987.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/4980-38-0x0000000077B34000-0x0000000077B36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB4D.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\EB4D.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/4980-33-0x0000000076C20000-0x0000000076D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E987.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/4920-42-0x0000000000DD0000-0x0000000000DD6000-memory.dmp

memory/4920-44-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/1892-47-0x00000000024B0000-0x000000000254B000-memory.dmp

memory/1892-45-0x0000000002610000-0x000000000272B000-memory.dmp

memory/752-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/752-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4980-48-0x0000000005C70000-0x0000000006214000-memory.dmp

memory/4980-43-0x0000000000400000-0x0000000000BA8000-memory.dmp

memory/4980-51-0x0000000005560000-0x00000000055F2000-memory.dmp

memory/752-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/752-55-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2D0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F2D0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4980-53-0x00000000057C0000-0x000000000585C000-memory.dmp

memory/4980-62-0x0000000005640000-0x000000000564A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F7F2.exe

MD5 629d9bcff1e6ec968a9d8c3997e034cd
SHA1 68cbd39ef872b6006196dd53542a43650dfe988c
SHA256 182d10ae2814ab3a3512500de3e4229734f595495f29796f131a0523f7370f9a
SHA512 b7028032f6cb8a6a186bb67555e8230ff542261e6c314ead99f1051f57b5f89bb265cadbd9afab35b4eaae5cab14686b64544b0e74fabd96e6116144ab9c905a

C:\Users\Admin\AppData\Local\Temp\F7F2.exe

MD5 629d9bcff1e6ec968a9d8c3997e034cd
SHA1 68cbd39ef872b6006196dd53542a43650dfe988c
SHA256 182d10ae2814ab3a3512500de3e4229734f595495f29796f131a0523f7370f9a
SHA512 b7028032f6cb8a6a186bb67555e8230ff542261e6c314ead99f1051f57b5f89bb265cadbd9afab35b4eaae5cab14686b64544b0e74fabd96e6116144ab9c905a

memory/4920-68-0x00000000027B0000-0x00000000028B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1980-76-0x0000000000890000-0x0000000000990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1980-77-0x00000000006C0000-0x00000000006CB000-memory.dmp

memory/1980-78-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/4920-79-0x00000000028D0000-0x00000000029C0000-memory.dmp

memory/4920-80-0x00000000028D0000-0x00000000029C0000-memory.dmp

memory/4920-82-0x00000000028D0000-0x00000000029C0000-memory.dmp

memory/4980-83-0x0000000000400000-0x0000000000BA8000-memory.dmp

memory/4980-84-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-85-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-86-0x0000000076C20000-0x0000000076D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D3.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\4D3.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4980-95-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-97-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-100-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4980-101-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/1280-99-0x0000000000B40000-0x0000000000BAB000-memory.dmp

memory/4920-98-0x00000000028D0000-0x00000000029C0000-memory.dmp

memory/4980-102-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/1280-103-0x0000000000E00000-0x0000000000E80000-memory.dmp

memory/1280-104-0x0000000000B40000-0x0000000000BAB000-memory.dmp

memory/2768-107-0x0000000004C80000-0x0000000005079000-memory.dmp

memory/208-108-0x0000000000780000-0x000000000078C000-memory.dmp

memory/2768-111-0x0000000005080000-0x000000000596B000-memory.dmp

memory/1980-129-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3156-118-0x0000000002B80000-0x0000000002B96000-memory.dmp

memory/208-114-0x0000000000780000-0x000000000078C000-memory.dmp

memory/2768-138-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\072bfbe8-0662-462c-bd22-7fda1ce1b4b3\E4E2.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/752-141-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1280-142-0x0000000000B40000-0x0000000000BAB000-memory.dmp

memory/752-143-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/752-144-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4980-147-0x00000000058D0000-0x00000000058EC000-memory.dmp

memory/4980-149-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4980-148-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4980-151-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4980-153-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4980-155-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4980-158-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4980-160-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4848-161-0x0000000002460000-0x00000000024F5000-memory.dmp

memory/4752-167-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4980-169-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4752-168-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E4E2.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/4980-164-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4752-172-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4980-175-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4980-173-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4980-177-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4980-179-0x00000000058D0000-0x00000000058E5000-memory.dmp

memory/4624-180-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2768-182-0x0000000005080000-0x000000000596B000-memory.dmp

memory/4980-184-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4624-185-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/4980-186-0x0000000005930000-0x0000000005940000-memory.dmp

memory/4624-188-0x0000000007540000-0x0000000007550000-memory.dmp

memory/4980-187-0x0000000000400000-0x0000000000BA8000-memory.dmp

memory/2768-189-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2768-190-0x0000000004C80000-0x0000000005079000-memory.dmp

memory/4624-192-0x00000000084E0000-0x0000000008AF8000-memory.dmp

memory/2768-191-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4624-193-0x0000000007670000-0x0000000007682000-memory.dmp

memory/4624-194-0x00000000077D0000-0x00000000078DA000-memory.dmp

memory/4624-195-0x0000000007700000-0x000000000773C000-memory.dmp

memory/4624-196-0x0000000007740000-0x000000000778C000-memory.dmp

memory/4624-199-0x0000000007FB0000-0x0000000008016000-memory.dmp

memory/2768-200-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4624-201-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/4624-202-0x0000000007540000-0x0000000007550000-memory.dmp

C:\Users\Admin\AppData\Roaming\rbvhusd

MD5 629d9bcff1e6ec968a9d8c3997e034cd
SHA1 68cbd39ef872b6006196dd53542a43650dfe988c
SHA256 182d10ae2814ab3a3512500de3e4229734f595495f29796f131a0523f7370f9a
SHA512 b7028032f6cb8a6a186bb67555e8230ff542261e6c314ead99f1051f57b5f89bb265cadbd9afab35b4eaae5cab14686b64544b0e74fabd96e6116144ab9c905a

memory/4624-206-0x0000000008D80000-0x0000000008DF6000-memory.dmp

memory/3708-207-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/3708-208-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ou1uosix.yln.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2768-228-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2184-231-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D3.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2768-267-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 4fd6b3a467056385abd8ed1f85da0fa2
SHA1 4c42cd69ac787622af8b0748cb72b76911f9ff76
SHA256 5e9fcb024a6b188bad3226ea736d4b95df2a5cc6b493e0fab951c5bc051fbfec
SHA512 525067ffa8c9ef372255eaf264114971590a64cd06302e33ef89d5465eded3a1579b8b79efa1b445e593fa2cd907ed3394b4f1193c0ed63157ed5f06d4889289

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b0f3504eb5327ce5c3f25140df35b4c6
SHA1 9f5f9c9b7232469259ac99fb2419373624691663
SHA256 c276b91adf02297844f7778c03ddd7ff3cb4f7fbd3eddbc37bb80e3e16a159f8
SHA512 51e29cd0cc9e824ff3643b0393d481633449efebb44d9fc437653898ac0edac357816ca3895f2aa438c881302ccf8acb868c1ba939dfa8f038b26d6eb2a038cb

memory/3632-336-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3bff3043d54847605d4e71bc2f06b3b8
SHA1 6b7906eac9d68fee3967e63939cea4073cd1f515
SHA256 98c31c081f97511104e11af907a184cf478060e575e3fccf8e3cc162f8bb3f53
SHA512 a05717f83bf29ed342719c6f6f3ead0b01f729b94c45a91af1ef2f412ec848a594fe52f9e28c9c2d4ed02544a63b76c14ea4bd9684d0f4f1f0e1ef5a00233145

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3632-370-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a090ddc198dd4791bf21472422d09260
SHA1 dd92120ee2ccaab4f4e5437605c39dad7393a7b7
SHA256 4deac339d28e4bd16fbe4cedf1969649a4cea312ec4e0981a8d34c8826d00e8a
SHA512 e3d64b9ef74e3ad9318dce820564accad6f3bc460fda069e22afada7217e8e27fb8207c8318985e79a95120127fdd943504499ecec1dc94124ac94b6b1a22fba

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2b964216baa7ec45eced74b681a2618b
SHA1 b5720d1d88166f11f82e5af23985c37cb61970c9
SHA256 27fbf1744904ff56010fc8519111b8cecac3d54b40ff79f467e16bac2c832136
SHA512 d903901a4a9521a7e602ebb91d586deccea7ce0fd398bb641f96d615846e03897ce4b6612ff89f428482be94f9a2a50059a22e10be9b39567de82e95e4ee3d4e

memory/3600-435-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f5b2d87a3aa46ded27dc34e959ed4638
SHA1 26b8cc9e777e58562f14c5f0908d4a3a0fe68b1d
SHA256 9f75a0809552e81ba8e5e9484e6e67aefa0874424cd2d8807a269e7aec7618a9
SHA512 bbea807fd64c859b8e884ffebbbea1c393c2da7bcb6cf1f654f2b1b80a923a04b099e52a1c242e6b9aa42866fd80cdf020582751fcb5df2d4990e4968db8573e

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4