Malware Analysis Report

2025-01-18 06:22

Sample ID 231017-wmcrtsfa4y
Target NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe
SHA256 d3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79be
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 rootkit spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79be

Threat Level: Known bad

The file NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1 rootkit spyware upx

SmokeLoader

RedLine

RedLine payload

Glupteba payload

Glupteba

Amadey

Detected Djvu ransomware

Djvu Ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Themida packer

Deletes itself

Loads dropped DLL

UPX packed file

Executes dropped EXE

Modifies file permissions

Checks BIOS information in registry

Checks computer location settings

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 18:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 18:01

Reported

2023-10-17 18:04

Platform

win7-20230831-en

Max time kernel

103s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4BB1.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4BB1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4BB1.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\455A.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65D9.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e302e423-bbd8-41eb-be43-8491ed6d0fa4\\455A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\455A.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4BB1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BB1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2528 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 1248 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 1248 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 1248 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 2528 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Users\Admin\AppData\Local\Temp\455A.exe
PID 1248 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4BB1.exe
PID 1248 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4BB1.exe
PID 1248 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4BB1.exe
PID 1248 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4BB1.exe
PID 1248 wrote to memory of 2520 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2520 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2520 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2520 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2520 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2520 wrote to memory of 1064 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 1064 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 1064 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 1064 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 1064 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 1064 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 1064 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1248 wrote to memory of 652 N/A N/A C:\Users\Admin\AppData\Local\Temp\565D.exe
PID 1248 wrote to memory of 652 N/A N/A C:\Users\Admin\AppData\Local\Temp\565D.exe
PID 1248 wrote to memory of 652 N/A N/A C:\Users\Admin\AppData\Local\Temp\565D.exe
PID 1248 wrote to memory of 652 N/A N/A C:\Users\Admin\AppData\Local\Temp\565D.exe
PID 1248 wrote to memory of 964 N/A N/A C:\Users\Admin\AppData\Local\Temp\65D9.exe
PID 1248 wrote to memory of 964 N/A N/A C:\Users\Admin\AppData\Local\Temp\65D9.exe
PID 1248 wrote to memory of 964 N/A N/A C:\Users\Admin\AppData\Local\Temp\65D9.exe
PID 1248 wrote to memory of 964 N/A N/A C:\Users\Admin\AppData\Local\Temp\65D9.exe
PID 1248 wrote to memory of 2280 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E49.exe
PID 1248 wrote to memory of 2280 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E49.exe
PID 1248 wrote to memory of 2280 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E49.exe
PID 1248 wrote to memory of 2280 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E49.exe
PID 2492 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Windows\SysWOW64\icacls.exe
PID 2492 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Windows\SysWOW64\icacls.exe
PID 2492 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Windows\SysWOW64\icacls.exe
PID 2492 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\455A.exe C:\Windows\SysWOW64\icacls.exe
PID 1248 wrote to memory of 2904 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 2904 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 2904 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 2904 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 2904 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 964 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\65D9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 964 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\65D9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 964 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\65D9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 964 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\65D9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2852 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2852 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2852 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2852 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\455A.exe

C:\Users\Admin\AppData\Local\Temp\455A.exe

C:\Users\Admin\AppData\Local\Temp\455A.exe

C:\Users\Admin\AppData\Local\Temp\455A.exe

C:\Users\Admin\AppData\Local\Temp\4BB1.exe

C:\Users\Admin\AppData\Local\Temp\4BB1.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5247.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\5247.dll

C:\Users\Admin\AppData\Local\Temp\565D.exe

C:\Users\Admin\AppData\Local\Temp\565D.exe

C:\Users\Admin\AppData\Local\Temp\65D9.exe

C:\Users\Admin\AppData\Local\Temp\65D9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7E49.exe

C:\Users\Admin\AppData\Local\Temp\7E49.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e302e423-bbd8-41eb-be43-8491ed6d0fa4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\455A.exe

"C:\Users\Admin\AppData\Local\Temp\455A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\455A.exe

"C:\Users\Admin\AppData\Local\Temp\455A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
FR 51.254.67.186:16176 tcp
RU 31.41.244.27:41140 tcp

Files

memory/2820-1-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/2820-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2820-3-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2820-5-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/1248-4-0x0000000002A20000-0x0000000002A36000-memory.dmp

memory/2820-7-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1248-9-0x000007FEF5A30000-0x000007FEF5B73000-memory.dmp

memory/1248-10-0x000007FF2CDF0000-0x000007FF2CDFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2528-23-0x0000000000290000-0x0000000000322000-memory.dmp

memory/2528-24-0x0000000000290000-0x0000000000322000-memory.dmp

\Users\Admin\AppData\Local\Temp\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2492-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2528-29-0x0000000001E90000-0x0000000001FAB000-memory.dmp

memory/2492-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2528-33-0x0000000000290000-0x0000000000322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2492-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2492-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2812-40-0x0000000000B80000-0x0000000001328000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4BB1.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2812-41-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-42-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-43-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-44-0x0000000074EF0000-0x0000000074F37000-memory.dmp

memory/2812-45-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-46-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-48-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-50-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-51-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-52-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-53-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-54-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-56-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-57-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-58-0x0000000075540000-0x0000000075650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5247.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/2812-59-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-62-0x0000000074EF0000-0x0000000074F37000-memory.dmp

memory/2812-61-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-64-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-63-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-65-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-66-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-68-0x00000000773C0000-0x00000000773C2000-memory.dmp

memory/2812-67-0x0000000075540000-0x0000000075650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\565D.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

C:\Users\Admin\AppData\Local\Temp\565D.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

C:\Users\Admin\AppData\Local\Temp\65D9.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2812-93-0x0000000000B80000-0x0000000001328000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65D9.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\5247.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2812-101-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-104-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-105-0x0000000074EF0000-0x0000000074F37000-memory.dmp

memory/2812-106-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-107-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-108-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-110-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-109-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-111-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-112-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2492-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2812-114-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-115-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-116-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-117-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-118-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-119-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-120-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-121-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-122-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-123-0x0000000075540000-0x0000000075650000-memory.dmp

memory/2812-125-0x0000000075540000-0x0000000075650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E49.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Users\Admin\AppData\Local\Temp\7E49.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/2280-132-0x00000000025D0000-0x00000000029C8000-memory.dmp

memory/1064-133-0x0000000010000000-0x00000000101E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\e302e423-bbd8-41eb-be43-8491ed6d0fa4\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2904-141-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/2904-154-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/2812-156-0x0000000000B80000-0x0000000001328000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2876-157-0x00000000000E0000-0x00000000000EC000-memory.dmp

memory/2876-158-0x00000000000E0000-0x00000000000EC000-memory.dmp

memory/1064-159-0x0000000002240000-0x000000000235B000-memory.dmp

memory/1064-160-0x0000000002360000-0x000000000245F000-memory.dmp

memory/1064-163-0x0000000002360000-0x000000000245F000-memory.dmp

memory/1064-164-0x0000000002360000-0x000000000245F000-memory.dmp

memory/1064-165-0x0000000000140000-0x0000000000146000-memory.dmp

memory/2812-166-0x0000000073D70000-0x000000007445E000-memory.dmp

memory/2492-167-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2280-169-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/2280-170-0x00000000025D0000-0x00000000029C8000-memory.dmp

memory/2280-171-0x00000000029D0000-0x00000000032BB000-memory.dmp

memory/1888-172-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1888-173-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1888-174-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1888-175-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1888-177-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1888-176-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/1888-181-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/1888-185-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2248-187-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2492-183-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

\Users\Admin\AppData\Local\Temp\455A.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\7E49.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/2812-200-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-201-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-203-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-205-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-207-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-209-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-211-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-213-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-215-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-217-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-219-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-221-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2812-223-0x00000000003A0000-0x00000000003B5000-memory.dmp

memory/2512-224-0x0000000000400000-0x000000000045A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-17 18:01

Reported

2023-10-17 18:06

Platform

win10v2004-20230915-en

Max time kernel

164s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\91AD.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\91AD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\91AD.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9B74.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8E8F.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\64c10acf-94be-485c-940a-ada892953a02\\8E8F.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8E8F.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\91AD.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91AD.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\A5D5.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\A5D5.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\A5D5.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A5D5.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\91AD.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\B1CD.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 460 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 2568 wrote to memory of 460 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 2568 wrote to memory of 460 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 2568 wrote to memory of 3504 N/A N/A C:\Users\Admin\AppData\Local\Temp\91AD.exe
PID 2568 wrote to memory of 3504 N/A N/A C:\Users\Admin\AppData\Local\Temp\91AD.exe
PID 2568 wrote to memory of 3504 N/A N/A C:\Users\Admin\AppData\Local\Temp\91AD.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 460 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Users\Admin\AppData\Local\Temp\8E8F.exe
PID 2568 wrote to memory of 1864 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2568 wrote to memory of 1864 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1864 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1864 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1864 wrote to memory of 1408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 4672 N/A N/A C:\Users\Admin\AppData\Local\Temp\9808.exe
PID 2568 wrote to memory of 4672 N/A N/A C:\Users\Admin\AppData\Local\Temp\9808.exe
PID 2568 wrote to memory of 4672 N/A N/A C:\Users\Admin\AppData\Local\Temp\9808.exe
PID 2568 wrote to memory of 4724 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B74.exe
PID 2568 wrote to memory of 4724 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B74.exe
PID 2568 wrote to memory of 4724 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B74.exe
PID 4724 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\9B74.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4724 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\9B74.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4724 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\9B74.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4896 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4896 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4896 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4896 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5D5.exe
PID 2568 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5D5.exe
PID 2568 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5D5.exe
PID 2328 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Windows\SysWOW64\icacls.exe
PID 2692 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Windows\SysWOW64\icacls.exe
PID 2692 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\8E8F.exe C:\Windows\SysWOW64\icacls.exe
PID 2568 wrote to memory of 4852 N/A N/A C:\Users\Admin\AppData\Local\Temp\B1CD.exe
PID 2568 wrote to memory of 4852 N/A N/A C:\Users\Admin\AppData\Local\Temp\B1CD.exe
PID 2568 wrote to memory of 4852 N/A N/A C:\Users\Admin\AppData\Local\Temp\B1CD.exe
PID 2328 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4672 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4672 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\9808.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 4100 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 4100 N/A N/A C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd3dbd4a3bca68c48f382dfecb9dd236b03466b7363cba5f34f968a04f88a79beexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

C:\Users\Admin\AppData\Local\Temp\91AD.exe

C:\Users\Admin\AppData\Local\Temp\91AD.exe

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9690.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9690.dll

C:\Users\Admin\AppData\Local\Temp\9808.exe

C:\Users\Admin\AppData\Local\Temp\9808.exe

C:\Users\Admin\AppData\Local\Temp\9B74.exe

C:\Users\Admin\AppData\Local\Temp\9B74.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\A5D5.exe

C:\Users\Admin\AppData\Local\Temp\A5D5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\64c10acf-94be-485c-940a-ada892953a02" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\B1CD.exe

C:\Users\Admin\AppData\Local\Temp\B1CD.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

"C:\Users\Admin\AppData\Local\Temp\8E8F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

"C:\Users\Admin\AppData\Local\Temp\8E8F.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2672 -ip 2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\B1CD.exe

"C:\Users\Admin\AppData\Local\Temp\B1CD.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.209.247.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
IE 52.111.236.21:443 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
FR 51.254.67.186:16176 tcp
US 8.8.8.8:53 186.67.254.51.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 138.169.188.196.in-addr.arpa udp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 toennjeskenya.com udp
US 8.8.8.8:53 wirtshauspost.at udp
ET 196.188.169.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 8dc9c44f-bd83-4633-9bd0-f043e73bfe1a.uuid.statsexplorer.org udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.statsexplorer.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server7.statsexplorer.org tcp
US 15.197.250.192:3478 stun.sipgate.net udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
BG 185.82.216.108:443 server7.statsexplorer.org tcp

Files

memory/4552-1-0x0000000000990000-0x0000000000A90000-memory.dmp

memory/4552-2-0x0000000000970000-0x000000000097B000-memory.dmp

memory/4552-3-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/4552-5-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2568-4-0x0000000000860000-0x0000000000876000-memory.dmp

memory/4552-8-0x0000000000970000-0x000000000097B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/460-21-0x00000000021C0000-0x000000000225C000-memory.dmp

memory/460-22-0x00000000024A0000-0x00000000025BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91AD.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\91AD.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/3504-26-0x0000000000980000-0x0000000001128000-memory.dmp

memory/2692-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2692-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2692-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3504-31-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/3504-32-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/3504-33-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/3504-34-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/3504-35-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/3504-36-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/2692-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9690.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

C:\Users\Admin\AppData\Local\Temp\9808.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

C:\Users\Admin\AppData\Local\Temp\9808.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

C:\Users\Admin\AppData\Local\Temp\9690.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/3504-45-0x00000000775E4000-0x00000000775E6000-memory.dmp

memory/1408-47-0x0000000010000000-0x00000000101E3000-memory.dmp

memory/1408-46-0x0000000000D10000-0x0000000000D16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9B74.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\9B74.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3504-57-0x0000000000980000-0x0000000001128000-memory.dmp

memory/3504-58-0x0000000076FA0000-0x0000000077090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3504-60-0x0000000000980000-0x0000000001128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3504-69-0x0000000005CC0000-0x0000000006264000-memory.dmp

memory/3504-70-0x0000000005710000-0x00000000057A2000-memory.dmp

memory/3504-71-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/3504-72-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/3504-73-0x00000000058B0000-0x000000000594C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5D5.exe

MD5 a6cc2635415872e2cfa5bc586b8d5ac1
SHA1 1ab7f97be976876998982fef5a4f54f29325ff10
SHA256 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e
SHA512 cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad

C:\Users\Admin\AppData\Local\Temp\A5D5.exe

MD5 a6cc2635415872e2cfa5bc586b8d5ac1
SHA1 1ab7f97be976876998982fef5a4f54f29325ff10
SHA256 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e
SHA512 cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad

memory/3504-81-0x00000000056D0000-0x00000000056DA000-memory.dmp

memory/1408-84-0x0000000002AB0000-0x0000000002BCB000-memory.dmp

memory/3504-83-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/3504-87-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/2852-88-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/2852-89-0x0000000000600000-0x000000000060B000-memory.dmp

memory/2852-91-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/3504-92-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/1408-93-0x0000000002BD0000-0x0000000002CCF000-memory.dmp

memory/1408-96-0x0000000002BD0000-0x0000000002CCF000-memory.dmp

memory/1408-98-0x0000000002BD0000-0x0000000002CCF000-memory.dmp

memory/3504-99-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/2568-101-0x00000000028C0000-0x00000000028D6000-memory.dmp

memory/2852-102-0x0000000000400000-0x00000000005B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B1CD.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Users\Admin\AppData\Local\Temp\B1CD.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/4852-112-0x0000000002AA0000-0x0000000002EA3000-memory.dmp

memory/3504-114-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/4420-113-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4852-115-0x0000000002EB0000-0x000000000379B000-memory.dmp

memory/4852-116-0x0000000000400000-0x0000000000D6F000-memory.dmp

C:\Users\Admin\AppData\Local\64c10acf-94be-485c-940a-ada892953a02\8E8F.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/1260-118-0x0000000001080000-0x000000000108C000-memory.dmp

memory/1260-119-0x0000000001080000-0x000000000108C000-memory.dmp

memory/4100-120-0x0000000000750000-0x00000000007BB000-memory.dmp

memory/4420-121-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/2692-124-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3504-123-0x0000000005AE0000-0x0000000005AFC000-memory.dmp

memory/4100-125-0x0000000000C70000-0x0000000000CF0000-memory.dmp

memory/2692-126-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4100-129-0x0000000000750000-0x00000000007BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/4420-131-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/3504-132-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/3504-130-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/3504-137-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/3504-144-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/4420-143-0x00000000084E0000-0x0000000008AF8000-memory.dmp

memory/3504-155-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/4420-164-0x0000000007710000-0x000000000781A000-memory.dmp

memory/3504-163-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/4420-168-0x0000000007640000-0x0000000007652000-memory.dmp

memory/3504-167-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/3504-171-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8E8F.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/3032-175-0x0000000002190000-0x000000000222E000-memory.dmp

memory/3504-177-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/2672-178-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4420-181-0x0000000007820000-0x000000000786C000-memory.dmp

memory/2672-183-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3504-182-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/2672-174-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4420-172-0x00000000076A0000-0x00000000076DC000-memory.dmp

memory/4852-166-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/3504-185-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/3504-187-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/3504-189-0x0000000005AE0000-0x0000000005AF5000-memory.dmp

memory/768-190-0x0000000000400000-0x000000000045A000-memory.dmp

memory/768-194-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/3504-195-0x0000000005B20000-0x0000000005B30000-memory.dmp

memory/3504-198-0x0000000000980000-0x0000000001128000-memory.dmp

memory/768-197-0x0000000007810000-0x0000000007820000-memory.dmp

memory/3504-196-0x0000000076FA0000-0x0000000077090000-memory.dmp

memory/4100-193-0x0000000000750000-0x00000000007BB000-memory.dmp

memory/768-201-0x00000000083E0000-0x0000000008446000-memory.dmp

memory/768-202-0x00000000092E0000-0x0000000009356000-memory.dmp

memory/768-203-0x0000000009530000-0x00000000096F2000-memory.dmp

memory/4852-205-0x0000000002AA0000-0x0000000002EA3000-memory.dmp

memory/908-204-0x0000000002740000-0x0000000002776000-memory.dmp

memory/768-206-0x0000000009C30000-0x000000000A15C000-memory.dmp

memory/908-207-0x0000000004FA0000-0x00000000055C8000-memory.dmp

memory/4852-208-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/768-209-0x0000000009450000-0x000000000946E000-memory.dmp

memory/908-210-0x0000000004E10000-0x0000000004E32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ud5wsptf.2by.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\asusedc

MD5 a6cc2635415872e2cfa5bc586b8d5ac1
SHA1 1ab7f97be976876998982fef5a4f54f29325ff10
SHA256 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e
SHA512 cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad

memory/4852-255-0x0000000000400000-0x0000000000D6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B1CD.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 c671d50d589ce7be9ad3ff4035e6ad63
SHA1 88cdc154077c8264149cb8b19e16ba07901e1dd6
SHA256 fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568
SHA512 a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4852-299-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/3780-306-0x0000000000400000-0x0000000000D6F000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7966e490b927f2acfefee84106c0014c
SHA1 b35749fa0cf3e28e178c28e7079ccc0ba6ea5209
SHA256 3b7308b7d94fd6f3d3b91270815b06126b8a72a18b4b0c23d358d893c9902a00
SHA512 6bef8c6ce4f829080fec685ec4ea956d2b265bb795fce85df9f21c428b3152ce074834490a75561ba9d8d21a7a9e8e9eb9a45a32633a618f70e1318ddabb49d5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c20b37c9bfe93ba057b6b0e88a1b1df1
SHA1 b6f30acbbad5c751df2799e38c18db97ec0c90fe
SHA256 5aa9f012f26e26297d6f4ba95b0af750e649ef88b44f5cf16d4fcdee3137ee8b
SHA512 66cd8b187b2f0eada679ec4db6103ad9913111f1e9bb56d2efb4ed117549af430697037afb23434c61eebc850f59a4a8ae63368c24f22a8836a19de9295753bd

memory/3780-351-0x0000000000400000-0x0000000000D6F000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Windows\rss\csrss.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5d3516a541809974726a13dac2e8f5fb
SHA1 414cb56ca9a68cf83dab103836e31c6c7ec0ec1d
SHA256 ff4343fec55e4657016af139bae936438dd8efe4562d1a62eac6e718dc6f4eba
SHA512 f77c6b81557f35850d260ab227ebbc15b1af5e0792428d43343b91da5496007b88c4309d57b285f18fde9bfb139df0cf176a51043baaacd5ebf33fb7a0b43a63

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 21a5e7c971fbf7bfddf9efb568f9d1e8
SHA1 a0a77398b692ba092e8ea884b339061f76bcbe54
SHA256 a702f82c3caf4b92427777544ab1acb733da9feff063d64f6eccd103c1044595
SHA512 dc803b6850f6f1da27178bff9eb913eca22f00c2f8f91f3b55770ba36f8f50cdf2a3410b238fb7a9ecf5942f93207c8913770ca80c127bbf9095361a67bb864e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dfd67f184dd2dbca87448eb9b183a71d
SHA1 b194784e8660a20622a10afd8b698f62c1cfedc2
SHA256 fa219c979866d246b829571d36dc819876c8ac28016045384b38b32535d57492
SHA512 80800016ca000b8c3c09b6a48c81dbf7bf30509dcd7edd87081602410e63c063e8efb9f775187177bc23e11e8628fc7ca342592898d0e37bb1984a831a2fe003

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4