Malware Analysis Report

2025-06-16 03:31

Sample ID 220815-mbd13scbg3
Target 4.exe
SHA256 e95133b41a680c6eefc46c572c77c90ec1597046bfd5a7d6d6199ed566b43457
Tags
blustealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e95133b41a680c6eefc46c572c77c90ec1597046bfd5a7d6d6199ed566b43457

Threat Level: Known bad

The file 4.exe was found to be: Known bad.

Malicious Activity Summary

blustealer persistence stealer

BluStealer

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-15 10:17

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-15 10:17

Reported

2022-08-15 10:19

Platform

win10v2004-20220812-en

Max time kernel

87s

Max time network

90s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4.exe"

Signatures

BluStealer

stealer blustealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qejae = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ibiwfo\\Qejae.exe\"" C:\Users\Admin\AppData\Local\Temp\4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ocdms.exe\" .." C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3880 set thread context of 1464 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3880 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3880 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1464 wrote to memory of 1516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 1464 wrote to memory of 1516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 1464 wrote to memory of 1516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 1464 wrote to memory of 1488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe
PID 1464 wrote to memory of 1488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4.exe

"C:\Users\Admin\AppData\Local\Temp\4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

"C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe"

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

"C:\Users\Admin\AppData\Local\Temp\Ocdms.exe"

Network

Country Destination Domain Proto
US 8.253.208.120:80 tcp
IE 20.50.80.209:443 tcp
NL 104.80.225.205:443 tcp
US 8.253.208.120:80 tcp
US 8.253.208.120:80 tcp
US 8.253.208.120:80 tcp

Files

memory/3880-132-0x0000000000F20000-0x0000000001100000-memory.dmp

memory/3880-133-0x0000000005E00000-0x0000000005E22000-memory.dmp

memory/816-134-0x0000000000000000-mapping.dmp

memory/816-135-0x0000000000F00000-0x0000000000F36000-memory.dmp

memory/816-136-0x0000000004D60000-0x0000000005388000-memory.dmp

memory/816-137-0x0000000005460000-0x00000000054C6000-memory.dmp

memory/816-138-0x0000000005600000-0x0000000005666000-memory.dmp

memory/816-139-0x0000000005C30000-0x0000000005C4E000-memory.dmp

memory/816-140-0x0000000007220000-0x000000000789A000-memory.dmp

memory/816-141-0x0000000006110000-0x000000000612A000-memory.dmp

memory/864-142-0x0000000000000000-mapping.dmp

memory/3284-143-0x0000000000000000-mapping.dmp

memory/1464-144-0x0000000000000000-mapping.dmp

memory/1464-145-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1464-146-0x0000000005A70000-0x0000000006014000-memory.dmp

memory/1464-147-0x0000000005400000-0x0000000005492000-memory.dmp

memory/1464-148-0x00000000055B0000-0x00000000055BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

memory/1516-149-0x0000000000000000-mapping.dmp

memory/1488-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

memory/1488-157-0x00007FFD3B120000-0x00007FFD3BB56000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-15 10:17

Reported

2022-08-15 10:19

Platform

win7-20220812-en

Max time kernel

43s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4.exe"

Signatures

BluStealer

stealer blustealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qejae = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ibiwfo\\Qejae.exe\"" C:\Users\Admin\AppData\Local\Temp\4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ocdms.exe\" .." C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2044 set thread context of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2044 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 828 wrote to memory of 468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 828 wrote to memory of 468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 828 wrote to memory of 468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 828 wrote to memory of 468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 828 wrote to memory of 944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe
PID 828 wrote to memory of 944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe
PID 828 wrote to memory of 944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe
PID 828 wrote to memory of 944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4.exe

"C:\Users\Admin\AppData\Local\Temp\4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

"C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe"

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

"C:\Users\Admin\AppData\Local\Temp\Ocdms.exe"

Network

N/A

Files

memory/2044-54-0x0000000000D90000-0x0000000000F70000-memory.dmp

memory/2044-55-0x0000000000C20000-0x0000000000D6A000-memory.dmp

memory/2044-56-0x0000000002370000-0x0000000002428000-memory.dmp

memory/2044-57-0x0000000076761000-0x0000000076763000-memory.dmp

memory/2044-58-0x0000000002430000-0x00000000024C2000-memory.dmp

memory/1736-59-0x0000000000000000-mapping.dmp

memory/1736-61-0x00000000700B0000-0x000000007065B000-memory.dmp

memory/1736-62-0x00000000700B0000-0x000000007065B000-memory.dmp

memory/828-64-0x0000000000400000-0x0000000000480000-memory.dmp

memory/828-63-0x0000000000400000-0x0000000000480000-memory.dmp

memory/828-66-0x0000000000400000-0x0000000000480000-memory.dmp

memory/828-67-0x0000000000400000-0x0000000000480000-memory.dmp

memory/828-68-0x0000000000400000-0x0000000000480000-memory.dmp

memory/828-69-0x000000000047AF5E-mapping.dmp

memory/828-71-0x0000000000400000-0x0000000000480000-memory.dmp

memory/828-73-0x0000000000400000-0x0000000000480000-memory.dmp

memory/828-75-0x0000000000B85000-0x0000000000B96000-memory.dmp

\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

memory/468-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

memory/944-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

memory/828-86-0x0000000000B85000-0x0000000000B96000-memory.dmp

memory/944-87-0x000007FEF3EB0000-0x000007FEF48D3000-memory.dmp

memory/944-88-0x000007FEF2E10000-0x000007FEF3EA6000-memory.dmp

memory/944-89-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

memory/944-90-0x0000000000B06000-0x0000000000B25000-memory.dmp