Malware Analysis Report

2025-01-18 06:51

Sample ID 231012-sdsj5shc76
Target 14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe
SHA256 14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware trojan vidar d37c48c18c73cc0e155c7e1dfde06db9 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2

Threat Level: Known bad

The file 14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware trojan vidar d37c48c18c73cc0e155c7e1dfde06db9 spyware stealer

RedLine payload

RedLine

SmokeLoader

Glupteba

Glupteba payload

Vidar

Djvu Ransomware

Detected Djvu ransomware

Amadey

Modifies Windows Firewall

Downloads MZ/PE file

Checks computer location settings

Modifies file permissions

Deletes itself

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Adds Run key to start application

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks processor information in registry

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 15:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 15:00

Reported

2023-10-16 08:25

Platform

win10v2004-20230915-en

Max time kernel

104s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B276.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A8DD.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b0b041b5-151e-4842-8ddf-144d10745f40\\A8DD.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A8DD.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\B8A1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\B8A1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\B8A1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B8A1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 4668 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 3188 wrote to memory of 4668 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 3188 wrote to memory of 4668 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 3188 wrote to memory of 4848 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe
PID 3188 wrote to memory of 4848 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe
PID 3188 wrote to memory of 4848 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe
PID 3188 wrote to memory of 1976 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3188 wrote to memory of 1976 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4668 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 4848 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4848 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4848 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4848 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4848 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4848 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4848 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4848 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\AB30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Temp\B276.exe
PID 3188 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Temp\B276.exe
PID 3188 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Temp\B276.exe
PID 3188 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8A1.exe
PID 3188 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8A1.exe
PID 3188 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8A1.exe
PID 1976 wrote to memory of 568 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1976 wrote to memory of 568 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1976 wrote to memory of 568 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3188 wrote to memory of 4384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0B0.exe
PID 3188 wrote to memory of 4384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0B0.exe
PID 3188 wrote to memory of 4384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0B0.exe
PID 3188 wrote to memory of 2632 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3188 wrote to memory of 2632 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3188 wrote to memory of 2632 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3188 wrote to memory of 2632 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3188 wrote to memory of 2384 N/A N/A C:\Windows\explorer.exe
PID 3188 wrote to memory of 2384 N/A N/A C:\Windows\explorer.exe
PID 3188 wrote to memory of 2384 N/A N/A C:\Windows\explorer.exe
PID 868 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Windows\SysWOW64\icacls.exe
PID 868 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Windows\SysWOW64\icacls.exe
PID 868 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Windows\SysWOW64\icacls.exe
PID 1672 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\B276.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1672 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\B276.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1672 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\B276.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2152 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 868 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 868 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\A8DD.exe C:\Users\Admin\AppData\Local\Temp\A8DD.exe
PID 2092 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe

"C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe"

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

C:\Users\Admin\AppData\Local\Temp\AB30.exe

C:\Users\Admin\AppData\Local\Temp\AB30.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AF48.dll

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\B276.exe

C:\Users\Admin\AppData\Local\Temp\B276.exe

C:\Users\Admin\AppData\Local\Temp\B8A1.exe

C:\Users\Admin\AppData\Local\Temp\B8A1.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AF48.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4848 -ip 4848

C:\Users\Admin\AppData\Local\Temp\C0B0.exe

C:\Users\Admin\AppData\Local\Temp\C0B0.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 148

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b0b041b5-151e-4842-8ddf-144d10745f40" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

"C:\Users\Admin\AppData\Local\Temp\A8DD.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

"C:\Users\Admin\AppData\Local\Temp\A8DD.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 568

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\C0B0.exe

"C:\Users\Admin\AppData\Local\Temp\C0B0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 wirtshauspost.at udp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
US 8.8.8.8:53 147.209.33.14.in-addr.arpa udp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
KR 14.33.209.147:80 wirtshauspost.at tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/1376-1-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/1376-2-0x00000000022F0000-0x00000000022FB000-memory.dmp

memory/1376-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1376-4-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1376-5-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/1376-6-0x00000000022F0000-0x00000000022FB000-memory.dmp

memory/3188-7-0x0000000002C00000-0x0000000002C16000-memory.dmp

memory/1376-9-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\AB30.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\AB30.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/4668-26-0x00000000048D0000-0x000000000496D000-memory.dmp

memory/4668-27-0x0000000004A60000-0x0000000004B7B000-memory.dmp

memory/868-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/868-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/768-32-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B276.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\B276.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/868-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AF48.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Local\Temp\B8A1.exe

MD5 e9fb654e3c0663dafa388c2983682485
SHA1 155aefc6c6f3127e1a7bd39da961e4806ef67bf5
SHA256 416583add0ae54eb87b382e7257fb5e88060304a0130f194678213a901675630
SHA512 254bc282c752de00abea74025dae3ee26748ff9c95e8d6eb9e0e4370e44a084e51f44a44f7a0b85941d7e0e82cd2ef98fbaedf7d9392b54c1da83b2c6a452cb4

C:\Users\Admin\AppData\Local\Temp\B8A1.exe

MD5 e9fb654e3c0663dafa388c2983682485
SHA1 155aefc6c6f3127e1a7bd39da961e4806ef67bf5
SHA256 416583add0ae54eb87b382e7257fb5e88060304a0130f194678213a901675630
SHA512 254bc282c752de00abea74025dae3ee26748ff9c95e8d6eb9e0e4370e44a084e51f44a44f7a0b85941d7e0e82cd2ef98fbaedf7d9392b54c1da83b2c6a452cb4

memory/868-45-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0B0.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\C0B0.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\AF48.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/4384-53-0x0000000004CD0000-0x00000000050D2000-memory.dmp

memory/2384-56-0x0000000000B20000-0x0000000000B2C000-memory.dmp

memory/4384-55-0x00000000050E0000-0x00000000059CB000-memory.dmp

memory/408-57-0x0000000000920000-0x000000000092B000-memory.dmp

memory/2384-60-0x0000000000B20000-0x0000000000B2C000-memory.dmp

memory/408-58-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2384-59-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/4384-61-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/408-62-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

memory/768-63-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/568-64-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/568-66-0x0000000000A20000-0x0000000000A26000-memory.dmp

memory/2632-68-0x0000000001400000-0x000000000146B000-memory.dmp

memory/3188-69-0x0000000002B80000-0x0000000002B96000-memory.dmp

memory/408-71-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/2632-73-0x0000000001400000-0x000000000146B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2632-107-0x0000000001400000-0x000000000146B000-memory.dmp

memory/4384-106-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\b0b041b5-151e-4842-8ddf-144d10745f40\A8DD.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/768-113-0x0000000007890000-0x0000000007E34000-memory.dmp

memory/4384-114-0x0000000004CD0000-0x00000000050D2000-memory.dmp

memory/4384-115-0x00000000050E0000-0x00000000059CB000-memory.dmp

memory/768-116-0x00000000073C0000-0x0000000007452000-memory.dmp

memory/4384-117-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/768-118-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/868-120-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/1404-123-0x0000000004870000-0x000000000490A000-memory.dmp

memory/4484-127-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-129-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-126-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8DD.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/4384-131-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/768-134-0x0000000007340000-0x0000000007350000-memory.dmp

memory/568-135-0x00000000024B0000-0x00000000025D3000-memory.dmp

memory/568-136-0x00000000025E0000-0x00000000026E8000-memory.dmp

memory/768-137-0x0000000007570000-0x000000000757A000-memory.dmp

memory/1840-138-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/1840-139-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/1840-140-0x00000000028F0000-0x0000000002926000-memory.dmp

memory/1840-141-0x0000000005060000-0x0000000005688000-memory.dmp

memory/568-142-0x00000000025E0000-0x00000000026E8000-memory.dmp

memory/1840-143-0x0000000004D80000-0x0000000004DA2000-memory.dmp

memory/1840-145-0x0000000004E20000-0x0000000004E86000-memory.dmp

memory/1840-147-0x0000000004E90000-0x0000000004EF6000-memory.dmp

memory/568-146-0x00000000025E0000-0x00000000026E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fymkaiu1.qvq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/568-153-0x00000000025E0000-0x00000000026E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1840-159-0x0000000005830000-0x0000000005B84000-memory.dmp

memory/1840-160-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/1840-162-0x0000000005F00000-0x0000000005F4C000-memory.dmp

memory/768-163-0x0000000008460000-0x0000000008A78000-memory.dmp

memory/4384-161-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\fefbjwb

MD5 e9fb654e3c0663dafa388c2983682485
SHA1 155aefc6c6f3127e1a7bd39da961e4806ef67bf5
SHA256 416583add0ae54eb87b382e7257fb5e88060304a0130f194678213a901675630
SHA512 254bc282c752de00abea74025dae3ee26748ff9c95e8d6eb9e0e4370e44a084e51f44a44f7a0b85941d7e0e82cd2ef98fbaedf7d9392b54c1da83b2c6a452cb4

memory/768-167-0x0000000007340000-0x0000000007350000-memory.dmp

memory/1840-168-0x0000000074380000-0x0000000074B30000-memory.dmp

memory/768-169-0x0000000007630000-0x000000000773A000-memory.dmp

memory/768-170-0x0000000004E60000-0x0000000004E72000-memory.dmp

memory/768-171-0x0000000007840000-0x000000000787C000-memory.dmp

memory/1840-172-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/1840-173-0x00000000063A0000-0x00000000063E4000-memory.dmp

memory/1840-174-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/1840-175-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/1840-176-0x0000000006FB0000-0x0000000007026000-memory.dmp

memory/1840-178-0x00000000078E0000-0x0000000007F5A000-memory.dmp

memory/1840-179-0x0000000006430000-0x000000000644A000-memory.dmp

memory/4384-177-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1840-180-0x000000007F990000-0x000000007F9A0000-memory.dmp

memory/1840-181-0x0000000007410000-0x0000000007442000-memory.dmp

memory/1840-182-0x0000000073C40000-0x0000000073C8C000-memory.dmp

memory/1840-183-0x000000006C7E0000-0x000000006CB34000-memory.dmp

memory/1840-193-0x00000000073F0000-0x000000000740E000-memory.dmp

memory/1840-194-0x0000000007450000-0x00000000074F3000-memory.dmp

memory/1840-195-0x0000000007560000-0x000000000756A000-memory.dmp

memory/1840-196-0x0000000007620000-0x00000000076B6000-memory.dmp

memory/1840-197-0x0000000007290000-0x00000000072A1000-memory.dmp

memory/1840-198-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/1840-199-0x00000000075C0000-0x00000000075CE000-memory.dmp

memory/1840-200-0x00000000075D0000-0x00000000075E4000-memory.dmp

memory/4384-203-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0B0.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4384-243-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/5040-246-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72f19202f2d0fe062806684328eed6b7
SHA1 e7653d34519452c4b25c1608a1c45b0ad55af899
SHA256 ec94770c4bb38fb683136067017148ee18cacb38cabd3b35282aeede47b79781
SHA512 e8f075cf48699734aaac51116dc35407e6cf6bda75f4d68b9e82af4f2994c2228a88e2a481b425f37d3c4cfb8bd14fde466363714f6f1ea026beb8b9dd613c57

memory/5040-268-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d7b75005eca87bff4a93056db1f26266
SHA1 fcab32d7f3abc6657df902ffd64709c65dbe37f4
SHA256 23e4d5dadada1d37cd7dbbb6d561a59f40f3f292686aea8687a7ac73c6c9169e
SHA512 448822121aa295bfb4d724675833190abc5fe379384211963e0c863f27a60adffa424bad470e20e0ac4e6ff626c2a478c61dcaf5f04cf283b021f640c9dab855

memory/5040-312-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 79515db67b044d138393047377e762fc
SHA1 06d834dd5ab84c7d525b11f8bd5ac546940dc8b6
SHA256 12d5cad068cb8d8e26d288a68659ed9e93fc1e47739570aad243133705a6b273
SHA512 45a00b218b32e7fc43d87246ecafc13720313581aed10c26fea10e178c652c98d77ea71c374fef0376f0cc089f91c34c66e7f51298794907eaa936bd3c8a4839

memory/5040-349-0x0000000000400000-0x0000000002FB8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 15:00

Reported

2023-10-16 08:21

Platform

win7-20230831-en

Max time kernel

148s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4574c3bc-b872-4083-95a7-86a7027d5bc5\\D0F5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D0F5.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231016082002.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D25D.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hgtdrtc N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hgtdrtc N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hgtdrtc N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hgtdrtc N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\E4E7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 1248 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 1248 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 1248 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 1248 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe
PID 1248 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe
PID 1248 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe
PID 1248 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\D0F5.exe C:\Users\Admin\AppData\Local\Temp\D0F5.exe
PID 1248 wrote to memory of 2456 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2456 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2456 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2456 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2456 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2456 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2456 wrote to memory of 2488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1248 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB16.exe
PID 1248 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB16.exe
PID 1248 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB16.exe
PID 1248 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB16.exe
PID 2672 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2672 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2672 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\D25D.exe C:\Windows\SysWOW64\WerFault.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe

"C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe"

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

C:\Users\Admin\AppData\Local\Temp\D25D.exe

C:\Users\Admin\AppData\Local\Temp\D25D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D74E.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D74E.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\DB16.exe

C:\Users\Admin\AppData\Local\Temp\DB16.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 92

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4574c3bc-b872-4083-95a7-86a7027d5bc5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\E4E7.exe

C:\Users\Admin\AppData\Local\Temp\E4E7.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

"C:\Users\Admin\AppData\Local\Temp\D0F5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

"C:\Users\Admin\AppData\Local\Temp\D0F5.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {8E4EFDAA-F698-4F15-82ED-C10751F89533} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\hgtdrtc

C:\Users\Admin\AppData\Roaming\hgtdrtc

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016082002.log C:\Windows\Logs\CBS\CbsPersist_20231016082002.cab

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe

"C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe"

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe

"C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe"

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe

"C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe"

C:\Users\Admin\AppData\Local\Temp\E4E7.exe

"C:\Users\Admin\AppData\Local\Temp\E4E7.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe

"C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.168.53.110:80 colisumy.com tcp
KR 211.40.39.251:80 zexeq.com tcp
KR 211.40.39.251:80 zexeq.com tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 128.140.102.206:80 128.140.102.206 tcp

Files

memory/2016-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/2016-2-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2016-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1248-4-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

memory/2016-6-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2700-20-0x0000000004380000-0x0000000004411000-memory.dmp

memory/2700-21-0x0000000004380000-0x0000000004411000-memory.dmp

\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\D25D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2700-26-0x0000000004420000-0x000000000453B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D25D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2948-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2948-33-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2700-36-0x0000000004380000-0x0000000004411000-memory.dmp

memory/2948-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2948-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D74E.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

\Users\Admin\AppData\Local\Temp\D74E.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2308-42-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2308-43-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2488-46-0x00000000001E0000-0x00000000001E6000-memory.dmp

memory/2488-45-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2308-51-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2308-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB16.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2308-47-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2308-44-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB16.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2308-59-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2308-61-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\D25D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\D25D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\D25D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E4E7.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\E4E7.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2188-93-0x0000000004910000-0x0000000004D08000-memory.dmp

C:\Users\Admin\AppData\Local\4574c3bc-b872-4083-95a7-86a7027d5bc5\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2832-96-0x0000000000370000-0x00000000003DB000-memory.dmp

memory/1816-101-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1816-97-0x0000000000060000-0x000000000006C000-memory.dmp

\Users\Admin\AppData\Local\Temp\D25D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2832-112-0x0000000000370000-0x00000000003DB000-memory.dmp

\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2948-116-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1548-118-0x0000000000310000-0x00000000003A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/1548-123-0x0000000000310000-0x00000000003A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0F5.exe

MD5 b2c45459a0713d87615afcd993544e4f
SHA1 3d6065263779f06698a7c031da4d13e1ce46cfe0
SHA256 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512 ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed

memory/2308-127-0x0000000072B40000-0x000000007322E000-memory.dmp

memory/2188-128-0x0000000004D10000-0x00000000055FB000-memory.dmp

memory/2188-129-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2308-130-0x0000000007320000-0x0000000007360000-memory.dmp

memory/1952-131-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-132-0x0000000004910000-0x0000000004D08000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 978b57edca72d998532efdd3ff63cae5
SHA1 fbc4dd007f1a0c2d025907dbeaf634e62f3673c3
SHA256 c63a024200990ca9d1e1402db37ae00e11e66d99e5f34ca84b25afb2c2006faa
SHA512 bc036f32c60c6188d14f9dac397e39f84a0bbcfaab0fc8f4e0306f5a8205b1ac1b6aeceb7769b2024299bec315b4b33d1e435d4fd181ce30c3f5206a292110d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 639acdaace58c43d0f7bd1e39500f3e9
SHA1 5cbd8726f735229378f02c46f21a999f97ecadcd
SHA256 f656a4d01e8098ee56f6ea78e9946b617e1da0958eb882898efb5dc42759aad0
SHA512 7cf8ec1c20a0ca4ac806968170516e1aaabdfb2c5b31cb42405911592283ef18108b404cde5e1d9205b66d27aaf535464923b4486086d7570078d9eb86665bde

C:\Users\Admin\AppData\Local\Temp\CabFC49.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9167d197c1a352fbd579b3437d0be8f6
SHA1 42e51ce9cc8e23dbcd984aaa1c8868bdd1574fa0
SHA256 d5d601dcc3d75a4cbaffaf9f283a9bb5ddb5393f1a96e8a3e9c2edd4828243b4
SHA512 92473a1a4cdd26b7395a8b11450bfab5f70ec713f044f3b3f0f937bfa810bf1705889a9bd9bc07913d80ebe5fb9d17f04bd1744c3741c87714f825ab757e4bd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 04d39672c3b92d23894a2ca962c1f4f0
SHA1 69b9a70f3d511a4036cf022f74b147af0e28ab17
SHA256 fa8ebdeb713966cef4ec1bff3d12c3739ff1bf8eae86f85f0725aeea67fcad4b
SHA512 bd88a445eddd9a7af00bfe2f1d59072c6ab15d6435637e9a6fdb740637684b9fe70982089fce3204a3bbc7948655912fa60e83a37820d9aabac4a11552d24b50

memory/2488-145-0x0000000002360000-0x0000000002483000-memory.dmp

memory/2488-147-0x0000000002490000-0x0000000002598000-memory.dmp

memory/2488-146-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2488-148-0x0000000002490000-0x0000000002598000-memory.dmp

memory/2488-150-0x0000000002490000-0x0000000002598000-memory.dmp

memory/2488-151-0x0000000002490000-0x0000000002598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E4E7.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1952-153-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-154-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\hgtdrtc

MD5 ce4397978685f0b61fcd99b96a1740f0
SHA1 4b54c7ba5a43f81765407609675f300947704fae
SHA256 14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2
SHA512 989d27f43a690bde54007eb64a7311e973b76d785ced33c237ab33f044b04c8f53f4fe14b43769177d4437f7d8c057d9140189bfd5ff30a26618b217ec91bb01

C:\Users\Admin\AppData\Roaming\hgtdrtc

MD5 ce4397978685f0b61fcd99b96a1740f0
SHA1 4b54c7ba5a43f81765407609675f300947704fae
SHA256 14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2
SHA512 989d27f43a690bde54007eb64a7311e973b76d785ced33c237ab33f044b04c8f53f4fe14b43769177d4437f7d8c057d9140189bfd5ff30a26618b217ec91bb01

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2188-159-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1952-165-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-167-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2308-171-0x0000000072B40000-0x000000007322E000-memory.dmp

\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2188-180-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2308-181-0x0000000007320000-0x0000000007360000-memory.dmp

memory/2868-182-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2868-183-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2868-184-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1952-185-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2868-222-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1952-198-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2588-225-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2704-208-0x0000000000220000-0x0000000000271000-memory.dmp

memory/2588-207-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2704-206-0x0000000002494000-0x00000000024C3000-memory.dmp

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2588-203-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1248-201-0x0000000003A90000-0x0000000003AA6000-memory.dmp

memory/2588-200-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2188-190-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\Temp\E4E7.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1472-227-0x00000000049F0000-0x0000000004DE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar562C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2188-229-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1472-236-0x00000000049F0000-0x0000000004DE8000-memory.dmp

memory/1472-237-0x0000000004DF0000-0x00000000056DB000-memory.dmp

memory/1472-238-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2588-288-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2588-318-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2588-350-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1472-351-0x00000000049F0000-0x0000000004DE8000-memory.dmp

memory/2272-359-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2272-356-0x0000000000980000-0x0000000000A80000-memory.dmp

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1472-370-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2624-373-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2308-467-0x0000000072B40000-0x000000007322E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2248-658-0x00000000002F0000-0x00000000003F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/308-665-0x0000000000400000-0x0000000000406000-memory.dmp