Malware Analysis Report

2025-01-18 06:37

Sample ID 231014-mtx7nsce2x
Target NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe
SHA256 a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
Tags
amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper infostealer loader persistence ransomware spyware stealer trojan pub1 evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271

Threat Level: Known bad

The file NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper infostealer loader persistence ransomware spyware stealer trojan pub1 evasion

Detected Djvu ransomware

SmokeLoader

Vidar

Glupteba

Djvu Ransomware

Glupteba payload

RedLine payload

RedLine

Amadey

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Checks computer location settings

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Accesses 2FA software files, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-14 10:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 10:46

Reported

2023-10-15 00:36

Platform

win7-20230831-en

Max time kernel

191s

Max time network

196s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\76352554-0e1a-4793-a28b-223740cbc378\\CF8F.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\CF8F.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\590E.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\590E.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2284 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1264 wrote to memory of 2284 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1264 wrote to memory of 2284 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1264 wrote to memory of 2284 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1264 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe
PID 1264 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe
PID 1264 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe
PID 1264 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe
PID 2528 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Windows\SysWOW64\icacls.exe
PID 2528 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Windows\SysWOW64\icacls.exe
PID 2528 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Windows\SysWOW64\icacls.exe
PID 2528 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Windows\SysWOW64\icacls.exe
PID 2528 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2528 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2528 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2528 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\D1F0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1664 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\CF8F.exe C:\Users\Admin\AppData\Local\Temp\CF8F.exe
PID 1264 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\FCB8.exe
PID 1264 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\FCB8.exe
PID 1264 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\FCB8.exe
PID 1264 wrote to memory of 2044 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1264 wrote to memory of 2044 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1264 wrote to memory of 2044 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1264 wrote to memory of 2044 N/A N/A C:\Windows\system32\regsvr32.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

C:\Users\Admin\AppData\Local\Temp\D1F0.exe

C:\Users\Admin\AppData\Local\Temp\D1F0.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\76352554-0e1a-4793-a28b-223740cbc378" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

"C:\Users\Admin\AppData\Local\Temp\CF8F.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

"C:\Users\Admin\AppData\Local\Temp\CF8F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FCB8.exe

C:\Users\Admin\AppData\Local\Temp\FCB8.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3F45.dll

C:\Users\Admin\AppData\Local\Temp\44E1.exe

C:\Users\Admin\AppData\Local\Temp\44E1.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\590E.exe

C:\Users\Admin\AppData\Local\Temp\590E.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3F45.dll

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe

"C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B8114C9F-A7FC-4604-BB1F-CB51DAF828E3} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe

"C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe

"C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe"

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe

"C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015003640.log C:\Windows\Logs\CBS\CbsPersist_20231015003640.cab

C:\Users\Admin\AppData\Local\Temp\590E.exe

"C:\Users\Admin\AppData\Local\Temp\590E.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.1:443 api.2ip.ua tcp
US 188.114.97.1:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
MX 201.110.239.142:80 colisumy.com tcp
KR 211.119.84.112:80 zexeq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
KR 211.119.84.112:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 128.140.102.206:80 128.140.102.206 tcp

Files

memory/3036-1-0x0000000000230000-0x0000000000330000-memory.dmp

memory/3036-2-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/3036-3-0x00000000003B0000-0x00000000003BB000-memory.dmp

memory/1264-4-0x0000000002A30000-0x0000000002A46000-memory.dmp

memory/3036-5-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2284-20-0x0000000004400000-0x0000000004492000-memory.dmp

memory/2284-21-0x0000000004400000-0x0000000004492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2284-24-0x00000000044A0000-0x00000000045BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2528-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2528-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2284-31-0x0000000004400000-0x0000000004492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D1F0.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

C:\Users\Admin\AppData\Local\Temp\D1F0.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/2528-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2528-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\76352554-0e1a-4793-a28b-223740cbc378\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/1664-60-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/2528-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1664-62-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/1696-64-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1696-63-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1696-66-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/1696-68-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1696-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1696-71-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1664-75-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/1072-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1072-79-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1696-77-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF8F.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c6113f1c49133dabab28c3c26162c969
SHA1 31b7316e1e13002fc985a0fa47f7c457c06ef5c0
SHA256 31d0444a05a2e3edfa6c28b34cc57769cd8eea56a2de6003976ccf23253e57bd
SHA512 96b6bcfae26a38299df116ef5037691b28e2a5d6c5033cfde50c63d844291d91921cade97ef6a7079971f97e1cc8b6c5a10ff8d0c7826e141abd31ca19758dea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9967597ee3945af816a504b559682a7e
SHA1 7793bcdd427e0b3109022c80bcfd6f94a7bf0111
SHA256 0574c1bfb06162e98d0e4c0e0b233e8d12d6155df13c26c32ca96f002a43690b
SHA512 709218bf62701619e40babf2cee55a822deb27022ee9e10f170c925a56d633aba480167b448168445865d08af004ea08c36fc9653acb16b66c536c233bc6aa44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b4f6b7adf4283a76d9768f041a37546f
SHA1 41c93a0c2b329f520d0e82a99eff6381a01969f4
SHA256 0f87fd27ac95e99f2a0813294a8f271b4756f2e60a3d283182e965b15bd6d20c
SHA512 e411d6aa0d842ab4b1d8332215badda66022bc056573fce8d3d37b2d822faebbf2cb6b9384ff63dc9cf2181b63fd597c553818660f7f0fd9dee28f2023219d87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfe76bedb5dbf4238ee48117bb8dffe4
SHA1 b1fb84785da2144d90fadab99e27133dd5a89fe5
SHA256 bef3e23b669217dbd6c5fc14c9eb85072317d67bbe5f7422e1ce93b9aa3107b7
SHA512 7bce160ce6cc6bd416894a574b2595e5eb75c63914e89d8654ee4f2c82dad053eea89e24bc2a8024a6f54ab4ff779aff9e8c19fe0e4f87d60f475f04fa33993e

C:\Users\Admin\AppData\Local\Temp\CabED6B.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/1072-94-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\FCB8.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\Temp\FCB8.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\Temp\44E1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\44E1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3F45.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/2900-110-0x000000013F660000-0x000000013FFB1000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\590E.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1776-121-0x00000000049E0000-0x0000000004DD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\590E.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1776-123-0x00000000049E0000-0x0000000004DD8000-memory.dmp

memory/1776-124-0x0000000004DE0000-0x00000000056CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1776-126-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1072-129-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1968-130-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1968-128-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1072-127-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\3F45.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/828-132-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/828-133-0x00000000001A0000-0x0000000000215000-memory.dmp

memory/1800-134-0x0000000010000000-0x0000000010251000-memory.dmp

memory/828-135-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1800-137-0x0000000000190000-0x0000000000196000-memory.dmp

memory/828-150-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1072-154-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1072-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1072-161-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2900-172-0x000000013F660000-0x000000013FFB1000-memory.dmp

\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1072-164-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1776-159-0x00000000049E0000-0x0000000004DD8000-memory.dmp

memory/1800-158-0x0000000000C80000-0x0000000000D9B000-memory.dmp

memory/1776-173-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1800-174-0x0000000002420000-0x0000000002521000-memory.dmp

memory/1800-175-0x0000000002420000-0x0000000002521000-memory.dmp

memory/1800-177-0x0000000002420000-0x0000000002521000-memory.dmp

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2432-184-0x0000000002360000-0x0000000002460000-memory.dmp

memory/2696-183-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1800-182-0x0000000002420000-0x0000000002521000-memory.dmp

memory/2432-185-0x00000000002E0000-0x0000000000331000-memory.dmp

memory/1776-180-0x0000000004DE0000-0x00000000056CB000-memory.dmp

memory/2696-187-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1800-179-0x0000000010000000-0x0000000010251000-memory.dmp

memory/2696-190-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2696-191-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1072-192-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1072-204-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\TarA2F4.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2900-240-0x000000013F660000-0x000000013FFB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\590E.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 dd75a805a05f98ee7fc97e7cc543f74f
SHA1 345b6f72214cb31911564d41387dac7f71601cb1
SHA256 df10eef395f9650d6a8a0ac692359f92238ac9c5c5675517b6ce87a5835c463a
SHA512 b0db60e3e483f056e18ecc47864f0eff6f0d2d083fb03206a805545308e954e628bc8229a962d523d9be16f533167f11541ce0d7da17b213aa965488e1fd7924

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/2696-267-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1776-266-0x0000000000400000-0x0000000002FB8000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2660-304-0x0000000000912000-0x0000000000923000-memory.dmp

memory/2660-306-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2156-307-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2696-308-0x0000000000400000-0x0000000000465000-memory.dmp

C:\ProgramData\14067607011940809247956307

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2696-332-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\590E.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1776-339-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1988-340-0x0000000004880000-0x0000000004C78000-memory.dmp

memory/1988-341-0x0000000000400000-0x0000000002FB8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 10:46

Reported

2023-10-15 00:36

Platform

win10v2004-20230915-en

Max time kernel

65s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8665.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2092 set thread context of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 3220 set thread context of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8F7E.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8F7E.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8F7E.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 2092 N/A N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 3156 wrote to memory of 2092 N/A N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 3156 wrote to memory of 2092 N/A N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 3156 wrote to memory of 3220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5782.exe
PID 3156 wrote to memory of 3220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5782.exe
PID 3156 wrote to memory of 3220 N/A N/A C:\Users\Admin\AppData\Local\Temp\5782.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 2092 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\53A9.exe C:\Users\Admin\AppData\Local\Temp\53A9.exe
PID 3156 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\784A.exe
PID 3156 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\784A.exe
PID 3220 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3220 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3220 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3220 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3220 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3220 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3220 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3220 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\5782.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3156 wrote to memory of 1464 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3156 wrote to memory of 1464 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3156 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\8665.exe
PID 3156 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\8665.exe
PID 3156 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\8665.exe
PID 1464 wrote to memory of 3680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 3680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1464 wrote to memory of 3680 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3156 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F7E.exe
PID 3156 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F7E.exe
PID 3156 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F7E.exe
PID 3156 wrote to memory of 472 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C31.exe
PID 3156 wrote to memory of 472 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C31.exe
PID 3156 wrote to memory of 472 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C31.exe
PID 4288 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\8665.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4288 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\8665.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4288 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\8665.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\53A9.exe

C:\Users\Admin\AppData\Local\Temp\53A9.exe

C:\Users\Admin\AppData\Local\Temp\5782.exe

C:\Users\Admin\AppData\Local\Temp\5782.exe

C:\Users\Admin\AppData\Local\Temp\53A9.exe

C:\Users\Admin\AppData\Local\Temp\53A9.exe

C:\Users\Admin\AppData\Local\Temp\784A.exe

C:\Users\Admin\AppData\Local\Temp\784A.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8470.dll

C:\Users\Admin\AppData\Local\Temp\8665.exe

C:\Users\Admin\AppData\Local\Temp\8665.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8470.dll

C:\Users\Admin\AppData\Local\Temp\8F7E.exe

C:\Users\Admin\AppData\Local\Temp\8F7E.exe

C:\Users\Admin\AppData\Local\Temp\9C31.exe

C:\Users\Admin\AppData\Local\Temp\9C31.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\afddb995-bf8e-476e-9b1a-1ea398658276" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\53A9.exe

"C:\Users\Admin\AppData\Local\Temp\53A9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\53A9.exe

"C:\Users\Admin\AppData\Local\Temp\53A9.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 396 -ip 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\9C31.exe

"C:\Users\Admin\AppData\Local\Temp\9C31.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 8.8.8.8:53 243.161.140.123.in-addr.arpa udp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
FR 51.255.152.132:36011 tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
FR 51.255.152.132:36011 tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
FR 51.255.152.132:36011 tcp

Files

memory/3856-1-0x0000000000710000-0x0000000000810000-memory.dmp

memory/3856-2-0x00000000021C0000-0x00000000021CB000-memory.dmp

memory/3856-3-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/3156-5-0x0000000003390000-0x00000000033A6000-memory.dmp

memory/3856-6-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/3856-9-0x00000000021C0000-0x00000000021CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53A9.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\53A9.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2092-22-0x00000000048A0000-0x0000000004934000-memory.dmp

memory/2092-23-0x0000000004A60000-0x0000000004B7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5782.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

C:\Users\Admin\AppData\Local\Temp\5782.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/1180-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53A9.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/1180-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-32-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\784A.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

memory/3088-37-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8665.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\8665.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\8470.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\8F7E.exe

MD5 a0dc2db849379678c981ff38e6864db0
SHA1 df1684b25e0fe4af92b0cf0cf4e6dfcac795f458
SHA256 eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d
SHA512 6caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b

C:\Users\Admin\AppData\Local\Temp\8F7E.exe

MD5 a0dc2db849379678c981ff38e6864db0
SHA1 df1684b25e0fe4af92b0cf0cf4e6dfcac795f458
SHA256 eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d
SHA512 6caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b

C:\Users\Admin\AppData\Local\Temp\8470.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/632-52-0x0000000000610000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/632-53-0x0000000000740000-0x000000000074B000-memory.dmp

memory/632-55-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C31.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\9C31.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/400-65-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp

memory/3156-66-0x0000000007CC0000-0x0000000007CD6000-memory.dmp

memory/632-67-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3088-73-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/472-75-0x0000000005130000-0x0000000005A1B000-memory.dmp

memory/1388-76-0x0000000000380000-0x000000000038C000-memory.dmp

memory/3680-77-0x0000000010000000-0x0000000010251000-memory.dmp

memory/1388-79-0x0000000000380000-0x000000000038C000-memory.dmp

memory/472-80-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2384-81-0x0000000000AE0000-0x0000000000B4B000-memory.dmp

memory/2384-82-0x0000000000B50000-0x0000000000BC5000-memory.dmp

memory/2384-84-0x0000000000AE0000-0x0000000000B4B000-memory.dmp

memory/3680-85-0x0000000002870000-0x0000000002876000-memory.dmp

memory/472-83-0x0000000004D20000-0x0000000005126000-memory.dmp

C:\Users\Admin\AppData\Local\afddb995-bf8e-476e-9b1a-1ea398658276\53A9.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\53A9.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/1180-115-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2384-119-0x0000000000AE0000-0x0000000000B4B000-memory.dmp

memory/400-120-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp

memory/3088-122-0x0000000007C20000-0x00000000081C4000-memory.dmp

memory/472-121-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/396-127-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2664-126-0x0000000004920000-0x00000000049B5000-memory.dmp

memory/396-129-0x0000000000400000-0x0000000000537000-memory.dmp

memory/396-125-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53A9.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/3680-130-0x0000000010000000-0x0000000010251000-memory.dmp

memory/3680-131-0x0000000002CB0000-0x0000000002DCB000-memory.dmp

memory/3088-132-0x0000000007720000-0x00000000077B2000-memory.dmp

memory/3680-134-0x0000000002DD0000-0x0000000002ED1000-memory.dmp

memory/3680-133-0x0000000002DD0000-0x0000000002ED1000-memory.dmp

memory/3680-136-0x0000000002DD0000-0x0000000002ED1000-memory.dmp

memory/3680-139-0x0000000002DD0000-0x0000000002ED1000-memory.dmp

memory/472-140-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3088-141-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/3088-142-0x0000000007700000-0x0000000007710000-memory.dmp

memory/3088-143-0x0000000007830000-0x000000000783A000-memory.dmp

memory/472-144-0x0000000004D20000-0x0000000005126000-memory.dmp

memory/1480-145-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/1480-146-0x0000000005130000-0x0000000005140000-memory.dmp

memory/1480-147-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

memory/400-148-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp

memory/3088-150-0x00000000087F0000-0x0000000008E08000-memory.dmp

C:\Users\Admin\AppData\Roaming\rgwfbvw

MD5 a0dc2db849379678c981ff38e6864db0
SHA1 df1684b25e0fe4af92b0cf0cf4e6dfcac795f458
SHA256 eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d
SHA512 6caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b

memory/1480-155-0x0000000005770000-0x0000000005D98000-memory.dmp

memory/1480-156-0x0000000005130000-0x0000000005140000-memory.dmp

memory/3088-158-0x0000000007A00000-0x0000000007A12000-memory.dmp

memory/3088-157-0x0000000007AF0000-0x0000000007BFA000-memory.dmp

memory/2664-154-0x0000000004920000-0x00000000049B5000-memory.dmp

memory/472-149-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3088-159-0x0000000007A60000-0x0000000007A9C000-memory.dmp

memory/1480-160-0x0000000005550000-0x0000000005572000-memory.dmp

memory/3088-161-0x0000000007AA0000-0x0000000007AEC000-memory.dmp

memory/1480-162-0x00000000056F0000-0x0000000005756000-memory.dmp

memory/1480-163-0x0000000005F10000-0x0000000005F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3fg2d53d.t5f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1480-169-0x0000000005F80000-0x00000000062D4000-memory.dmp

memory/1480-174-0x0000000006560000-0x000000000657E000-memory.dmp

memory/3088-175-0x0000000007700000-0x0000000007710000-memory.dmp

memory/1480-176-0x0000000006A10000-0x0000000006A54000-memory.dmp

memory/1480-177-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/1480-178-0x0000000005130000-0x0000000005140000-memory.dmp

memory/1480-179-0x0000000007670000-0x00000000076E6000-memory.dmp

memory/1480-180-0x0000000005130000-0x0000000005140000-memory.dmp

memory/400-181-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp

memory/1480-183-0x0000000005130000-0x0000000005140000-memory.dmp

memory/472-182-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1480-184-0x0000000007D70000-0x00000000083EA000-memory.dmp

memory/1480-185-0x00000000075F0000-0x000000000760A000-memory.dmp

memory/1480-186-0x000000007F3C0000-0x000000007F3D0000-memory.dmp

memory/1480-188-0x00000000747C0000-0x000000007480C000-memory.dmp

memory/1480-189-0x000000006C9F0000-0x000000006CD44000-memory.dmp

memory/1480-187-0x0000000007AD0000-0x0000000007B02000-memory.dmp

memory/1480-199-0x0000000007AB0000-0x0000000007ACE000-memory.dmp

memory/1480-200-0x0000000007B10000-0x0000000007BB3000-memory.dmp

memory/1480-201-0x0000000005130000-0x0000000005140000-memory.dmp

memory/1480-202-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

memory/400-203-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp

memory/472-204-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1480-205-0x00000000083F0000-0x0000000008486000-memory.dmp

memory/1480-206-0x0000000007C40000-0x0000000007C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1480-208-0x0000000007C70000-0x0000000007C7E000-memory.dmp

memory/1480-209-0x0000000007C80000-0x0000000007C94000-memory.dmp

memory/400-216-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp

memory/472-217-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C31.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/400-253-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp

memory/472-254-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4860-255-0x0000000000740000-0x000000000079A000-memory.dmp

memory/400-257-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp

memory/2812-256-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2812-264-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2812-268-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 89ae6dfb9a06aa1ac901bf11d7f1e406
SHA1 40684048404c32aeb5552d4ab17fd9a0da9d2287
SHA256 019b153fbc41aadf849639257d54887cf007fd6c34ed3b7203f315c62e72d22e
SHA512 872e7c8a8217b702782f2667f4c7f03a39dfe5ff78cec00d63939efc67858cad2ba188afc5a7cbf54221785d297f1b7f04ac6ea5e6b6911b76206efcfd00bcc2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e764cfd6dd73b8f7adf1b85b8f0e6039
SHA1 8b8958c3d0f51f095c408245c2fe8a882f2ed70a
SHA256 31b1efb7770c5f800d85441cb6702bbfc30c8f3d0efdc031b828b372cf7ceb66
SHA512 5e16f343f9138527fee12cc7de21d77831363095bd4ef82d6f38d07f7fa504c345897be023a4c85c466de07371d9986634893efe44f66bb7c145905fa2d1ad53

C:\Windows\rss\csrss.exe

MD5 b01051f8eb90ae5fc37c53a3d27a3441
SHA1 ec02ec6b4837915a8faff482c767ba0481100802
SHA256 5261e2aca080b71e486f4e2f7579203c5c2ed57d20b28ef8bbd6ab5dc2d7e20e
SHA512 7785b75521489ff3861d649e92f9e785976f1904f0fde40d58451215fc62965345ad38df6430a6c35615de6f06672e9a3c9a00d9fcd814120ea52678df272f13

C:\Windows\rss\csrss.exe

MD5 b01051f8eb90ae5fc37c53a3d27a3441
SHA1 ec02ec6b4837915a8faff482c767ba0481100802
SHA256 5261e2aca080b71e486f4e2f7579203c5c2ed57d20b28ef8bbd6ab5dc2d7e20e
SHA512 7785b75521489ff3861d649e92f9e785976f1904f0fde40d58451215fc62965345ad38df6430a6c35615de6f06672e9a3c9a00d9fcd814120ea52678df272f13

memory/2812-339-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7e3e4ce569022c685be192cd7646b8a5
SHA1 b99383a1d7c77870098e3d8100ac3fa638b924c6
SHA256 db218b3a9906ada768161755daeff85ccff409abcc31e05fea32ea17f2420ee5
SHA512 ae1acea95a1904e8db80ac2c507efa7e08955a63042481ea7409f9a31a664ed276c87539e4e73647c7866cbdc4bdd6b668631c1cef0739f18a0312c8cc5abedc