Malware Analysis Report

2025-01-18 05:34

Sample ID 231015-vpl8lshg7t
Target deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
SHA256 deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514

Threat Level: Known bad

The file deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan

RedLine

SmokeLoader

Glupteba payload

Amadey

Glupteba

Djvu Ransomware

Detected Djvu ransomware

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Modifies file permissions

Checks computer location settings

Themida packer

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

outlook_win_path

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

outlook_office_path

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 17:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 17:09

Reported

2023-10-15 17:13

Platform

win10v2004-20230915-en

Max time kernel

90s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FB44.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FB44.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FB44.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\410.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eb88e208-1d0a-4647-b663-98849355df3a\\F613.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F613.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\FB44.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB44.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 648 set thread context of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 4064 set thread context of 4124 N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cacls.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cacls.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514.exe N/A
N/A N/A C:\Windows\SysWOW64\cacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3208 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 3208 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 3208 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 3208 wrote to memory of 760 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB44.exe
PID 3208 wrote to memory of 760 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB44.exe
PID 3208 wrote to memory of 760 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB44.exe
PID 3208 wrote to memory of 4064 N/A N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe
PID 3208 wrote to memory of 4064 N/A N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe
PID 3208 wrote to memory of 4064 N/A N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 648 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Users\Admin\AppData\Local\Temp\F613.exe
PID 4064 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4064 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4064 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4064 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4064 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4064 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4064 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4064 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\FCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3208 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\Temp\410.exe
PID 3208 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\Temp\410.exe
PID 3208 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\Temp\410.exe
PID 3208 wrote to memory of 4588 N/A N/A C:\Windows\SysWOW64\cacls.exe
PID 3208 wrote to memory of 4588 N/A N/A C:\Windows\SysWOW64\cacls.exe
PID 3208 wrote to memory of 4588 N/A N/A C:\Windows\SysWOW64\cacls.exe
PID 3208 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\Temp\1095.exe
PID 3208 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\Temp\1095.exe
PID 3208 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\Temp\1095.exe
PID 3208 wrote to memory of 1008 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3208 wrote to memory of 1008 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1008 wrote to memory of 4980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1008 wrote to memory of 4980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1008 wrote to memory of 4980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3208 wrote to memory of 4408 N/A N/A C:\Windows\system32\svchost.exe
PID 3208 wrote to memory of 4408 N/A N/A C:\Windows\system32\svchost.exe
PID 3208 wrote to memory of 3112 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3208 wrote to memory of 3112 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3208 wrote to memory of 3112 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3208 wrote to memory of 3112 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3208 wrote to memory of 4460 N/A N/A C:\Windows\explorer.exe
PID 3208 wrote to memory of 4460 N/A N/A C:\Windows\explorer.exe
PID 3208 wrote to memory of 4460 N/A N/A C:\Windows\explorer.exe
PID 2200 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Windows\SysWOW64\icacls.exe
PID 2200 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Windows\SysWOW64\icacls.exe
PID 2200 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\F613.exe C:\Windows\SysWOW64\icacls.exe
PID 1088 wrote to memory of 2980 N/A C:\Windows\System32\schtasks.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1088 wrote to memory of 2980 N/A C:\Windows\System32\schtasks.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1088 wrote to memory of 2980 N/A C:\Windows\System32\schtasks.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514.exe

"C:\Users\Admin\AppData\Local\Temp\deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514.exe"

C:\Users\Admin\AppData\Local\Temp\F613.exe

C:\Users\Admin\AppData\Local\Temp\F613.exe

C:\Users\Admin\AppData\Local\Temp\FB44.exe

C:\Users\Admin\AppData\Local\Temp\FB44.exe

C:\Users\Admin\AppData\Local\Temp\FCAD.exe

C:\Users\Admin\AppData\Local\Temp\FCAD.exe

C:\Users\Admin\AppData\Local\Temp\F613.exe

C:\Users\Admin\AppData\Local\Temp\F613.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\410.exe

C:\Users\Admin\AppData\Local\Temp\410.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4064 -ip 4064

C:\Users\Admin\AppData\Local\Temp\980.exe

C:\Users\Admin\AppData\Local\Temp\980.exe

C:\Users\Admin\AppData\Local\Temp\1095.exe

C:\Users\Admin\AppData\Local\Temp\1095.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\148E.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 140

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\148E.dll

C:\Users\Admin\AppData\Local\Temp\2C9B.exe

C:\Users\Admin\AppData\Local\Temp\2C9B.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\eb88e208-1d0a-4647-b663-98849355df3a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\F613.exe

"C:\Users\Admin\AppData\Local\Temp\F613.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\F613.exe

"C:\Users\Admin\AppData\Local\Temp\F613.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3148 -ip 3148

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 568

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Local\Temp\1095.exe

"C:\Users\Admin\AppData\Local\Temp\1095.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 wirtshauspost.at udp
KR 211.171.233.129:80 wirtshauspost.at tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
US 8.8.8.8:53 129.233.171.211.in-addr.arpa udp
KR 211.171.233.129:80 wirtshauspost.at tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
FR 146.59.161.13:39199 tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
KR 211.171.233.129:80 wirtshauspost.at tcp
RU 31.41.244.27:41140 tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
KR 211.171.233.129:80 wirtshauspost.at tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
KR 211.171.233.129:80 wirtshauspost.at tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/3892-1-0x0000000000790000-0x0000000000890000-memory.dmp

memory/3892-2-0x0000000000750000-0x000000000075B000-memory.dmp

memory/3892-3-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/3892-4-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/3208-5-0x0000000002810000-0x0000000002826000-memory.dmp

memory/3892-6-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/3892-9-0x0000000000750000-0x000000000075B000-memory.dmp

memory/3208-14-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-16-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-19-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-18-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-21-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-17-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-25-0x0000000002880000-0x0000000002890000-memory.dmp

memory/3208-27-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-28-0x0000000002880000-0x0000000002890000-memory.dmp

memory/3208-29-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-31-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-33-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-38-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-41-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-42-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-44-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-47-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-46-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-45-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-43-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-40-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-39-0x0000000002880000-0x0000000002890000-memory.dmp

memory/3208-37-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-35-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-26-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-24-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-23-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-15-0x0000000002860000-0x0000000002870000-memory.dmp

memory/3208-13-0x0000000002860000-0x0000000002870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F613.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\F613.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/648-56-0x0000000004890000-0x0000000004928000-memory.dmp

memory/648-57-0x0000000004930000-0x0000000004A4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FB44.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

C:\Users\Admin\AppData\Local\Temp\FB44.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/760-62-0x0000000000DD0000-0x0000000001550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCAD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\FCAD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2200-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2200-70-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F613.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/760-71-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/760-73-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/2200-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/760-72-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/4124-77-0x0000000000400000-0x000000000043E000-memory.dmp

memory/760-78-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/760-80-0x0000000077D74000-0x0000000077D76000-memory.dmp

memory/760-76-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/760-75-0x0000000075D70000-0x0000000075E60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\410.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\410.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\980.exe

MD5 b34a1347aeef34e39c2936e969c9f0d5
SHA1 7e30999d290921dad4811e8e2017be8c1d0e9abd
SHA256 23439192304985da6561b0d6f6ad4ece7a4eecf01ded84e9f73ac4ac6ab5cf9a
SHA512 295ab21837bb0ab3101e9810265a0ca9694737f455fee78158951d606862787ee2e170f0c7dbf200e6bb344c5ed90975568f22dc3f2d40b0413c1252fb2df3b1

C:\Users\Admin\AppData\Local\Temp\980.exe

MD5 b34a1347aeef34e39c2936e969c9f0d5
SHA1 7e30999d290921dad4811e8e2017be8c1d0e9abd
SHA256 23439192304985da6561b0d6f6ad4ece7a4eecf01ded84e9f73ac4ac6ab5cf9a
SHA512 295ab21837bb0ab3101e9810265a0ca9694737f455fee78158951d606862787ee2e170f0c7dbf200e6bb344c5ed90975568f22dc3f2d40b0413c1252fb2df3b1

memory/2200-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-94-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/4588-95-0x0000000000710000-0x000000000071B000-memory.dmp

memory/4588-96-0x0000000000400000-0x00000000005B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1095.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\1095.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/760-102-0x0000000000DD0000-0x0000000001550000-memory.dmp

memory/760-105-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/760-104-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/4296-106-0x0000000004D30000-0x0000000005131000-memory.dmp

memory/760-107-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/760-108-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/4296-109-0x0000000005140000-0x0000000005A2B000-memory.dmp

memory/760-110-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/4296-111-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4588-114-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/3208-112-0x0000000002C40000-0x0000000002C56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\148E.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/760-118-0x0000000075D70000-0x0000000075E60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C9B.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\2C9B.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

memory/4124-124-0x0000000074950000-0x0000000075100000-memory.dmp

memory/4296-126-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\148E.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/4460-128-0x0000000000800000-0x000000000080C000-memory.dmp

memory/4460-130-0x0000000000800000-0x000000000080C000-memory.dmp

memory/4460-129-0x0000000000810000-0x0000000000817000-memory.dmp

memory/4980-132-0x0000000000A00000-0x0000000000A06000-memory.dmp

memory/4980-131-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/3112-135-0x00000000012E0000-0x000000000134B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4296-138-0x0000000004D30000-0x0000000005131000-memory.dmp

memory/760-136-0x0000000000DD0000-0x0000000001550000-memory.dmp

memory/3112-140-0x0000000001350000-0x00000000013D0000-memory.dmp

memory/3112-141-0x00000000012E0000-0x000000000134B000-memory.dmp

memory/760-144-0x0000000006720000-0x0000000006CC4000-memory.dmp

memory/4296-147-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4124-172-0x0000000074950000-0x0000000075100000-memory.dmp

memory/3112-176-0x00000000012E0000-0x000000000134B000-memory.dmp

memory/4296-178-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\eb88e208-1d0a-4647-b663-98849355df3a\F613.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/4124-180-0x0000000007400000-0x0000000007492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/760-184-0x0000000006310000-0x00000000063AC000-memory.dmp

memory/2200-185-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F613.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2076-188-0x0000000074950000-0x0000000075100000-memory.dmp

memory/2076-190-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/2076-192-0x0000000002F00000-0x0000000002F36000-memory.dmp

memory/3148-197-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F613.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3148-198-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3148-200-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\uhsavew

MD5 b34a1347aeef34e39c2936e969c9f0d5
SHA1 7e30999d290921dad4811e8e2017be8c1d0e9abd
SHA256 23439192304985da6561b0d6f6ad4ece7a4eecf01ded84e9f73ac4ac6ab5cf9a
SHA512 295ab21837bb0ab3101e9810265a0ca9694737f455fee78158951d606862787ee2e170f0c7dbf200e6bb344c5ed90975568f22dc3f2d40b0413c1252fb2df3b1

memory/4980-206-0x00000000026F0000-0x0000000002813000-memory.dmp

memory/4980-209-0x0000000002820000-0x0000000002928000-memory.dmp

memory/4980-211-0x0000000002820000-0x0000000002928000-memory.dmp

memory/4980-213-0x0000000002820000-0x0000000002928000-memory.dmp

memory/4980-218-0x0000000002820000-0x0000000002928000-memory.dmp

memory/4296-216-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1v3e5btg.54a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/760-248-0x00000000062F0000-0x0000000006305000-memory.dmp

memory/760-249-0x00000000062F0000-0x0000000006305000-memory.dmp

memory/4296-245-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/760-255-0x00000000062F0000-0x0000000006305000-memory.dmp

memory/760-253-0x00000000062F0000-0x0000000006305000-memory.dmp

memory/760-251-0x00000000062F0000-0x0000000006305000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1095.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 c671d50d589ce7be9ad3ff4035e6ad63
SHA1 88cdc154077c8264149cb8b19e16ba07901e1dd6
SHA256 fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568
SHA512 a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 e6e5e4b47c598d93be9a744dfda34e2e
SHA1 9fec2468c05fde0aa876337544a025f974fcceb5
SHA256 475c0148bc3c63c27f45de086d2e0820ccfdfc0dbd94a791be5e63f1f1b2eaec
SHA512 0c9ddc773b95594426b7eacdf9528b14715ae8f3332aa52024e5a8fbb7f2c6dd4355bc2770e6f59d25b39617f098c79c401c6c4045faf630247d2460707c0436

C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Program Files\Google\Chrome\updater.exe

MD5 e123f80e8fabe14c5761f710a5ac0ee8
SHA1 1e55780ad627fb8557ac8e05bc0c6e552f0c2726
SHA256 8a147f8399923af81436983e03b10621c8a88b0d40bbafcc3eae7b5c83fae359
SHA512 6345cb50dd4256819e21ac0d95799e78aa8db7c4956254412667a5c927560395dc21a2b96b338431f5072b05d58a7ffb84f11a430cc398c2135047061084ec8c

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 db2c39a3ef95ab929814d6d34381ad09
SHA1 4a98d0caecdf21d09201c26498c6d8b5545650b6
SHA256 244f419c390fc3aa31943b81cda324b71203fe542621b9e2c1cb3d8bcce490eb
SHA512 5e8b7acf17791bd83a92a48179919645d0cb8a3e43c6245cff0cbad50d8f73985a9c967207431fe6ca16d32729322d38124b9ea1701f10f9e6099c0baec2a21d