Malware Analysis Report

2025-01-18 06:23

Sample ID 231017-bxdfwsac34
Target file.exe
SHA256 779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery dropper evasion infostealer loader ransomware themida trojan pub1 collection persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery dropper evasion infostealer loader ransomware themida trojan pub1 collection persistence spyware

Amadey

Detected Djvu ransomware

Glupteba

Glupteba payload

RedLine payload

RedLine

SmokeLoader

Djvu Ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Checks computer location settings

Modifies file permissions

Themida packer

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Enumerates system info in registry

outlook_office_path

Suspicious use of UnmapMainImage

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 01:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 01:31

Reported

2023-10-17 01:34

Platform

win7-20230831-en

Max time kernel

46s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\28A7.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\28A7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\28A7.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\258A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28A7.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\28A7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28A7.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\258A.exe
PID 1192 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\258A.exe
PID 1192 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\258A.exe
PID 1192 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\258A.exe
PID 1192 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A7.exe
PID 1192 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A7.exe
PID 1192 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A7.exe
PID 1192 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A7.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\258A.exe

C:\Users\Admin\AppData\Local\Temp\258A.exe

C:\Users\Admin\AppData\Local\Temp\28A7.exe

C:\Users\Admin\AppData\Local\Temp\28A7.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3094.dll

C:\Users\Admin\AppData\Local\Temp\34C9.exe

C:\Users\Admin\AppData\Local\Temp\34C9.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3094.dll

C:\Users\Admin\AppData\Local\Temp\258A.exe

C:\Users\Admin\AppData\Local\Temp\258A.exe

C:\Users\Admin\AppData\Local\Temp\4A7C.exe

C:\Users\Admin\AppData\Local\Temp\4A7C.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\765ead5c-f514-42b6-9a56-51e48c554f1c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\258A.exe

"C:\Users\Admin\AppData\Local\Temp\258A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\258A.exe

"C:\Users\Admin\AppData\Local\Temp\258A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\598A.exe

C:\Users\Admin\AppData\Local\Temp\598A.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017013328.log C:\Windows\Logs\CBS\CbsPersist_20231017013328.cab

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe

"C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe"

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe

"C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe"

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe

"C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe"

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe

"C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\598A.exe

"C:\Users\Admin\AppData\Local\Temp\598A.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\taskeng.exe

taskeng.exe {74637911-DF05-430D-9087-78A4B3D07055} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 79.137.192.18:80 tcp
US 188.114.96.0:443 api.2ip.ua tcp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.181.24.132:80 colisumy.com tcp
KR 211.168.53.110:80 zexeq.com tcp
KR 211.168.53.110:80 zexeq.com tcp
JP 23.207.106.113:443 tcp
DE 49.12.118.149:80 49.12.118.149 tcp
RU 31.41.244.27:41140 tcp
GB 145.239.200.147:30225 tcp
US 172.67.213.185:443 tcp
US 8.8.8.8:53 c4871c64-5aca-48fd-9d96-9d75c87b3245.uuid.thestatsfiles.ru udp
US 162.159.135.233:443 tcp
US 20.150.79.68:443 tcp

Files

memory/2940-1-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/2940-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2940-2-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1192-4-0x0000000002A40000-0x0000000002A56000-memory.dmp

memory/2940-5-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1192-11-0x000007FEF5680000-0x000007FEF57C3000-memory.dmp

memory/1192-12-0x000007FE93520000-0x000007FE9352A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2560-26-0x0000000000280000-0x0000000000A28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\28A7.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2560-27-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-33-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2468-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2560-30-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-41-0x0000000075980000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2560-46-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-48-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-50-0x0000000075DE0000-0x0000000075E27000-memory.dmp

memory/2560-53-0x0000000075980000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3094.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2468-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2560-58-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-60-0x0000000075DE0000-0x0000000075E27000-memory.dmp

memory/2560-62-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-64-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-65-0x0000000075980000-0x0000000075A90000-memory.dmp

\Users\Admin\AppData\Local\Temp\3094.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2560-67-0x00000000770E0000-0x00000000770E2000-memory.dmp

memory/1192-63-0x000007FEF5680000-0x000007FEF57C3000-memory.dmp

memory/2836-69-0x0000000010000000-0x00000000101E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34C9.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\34C9.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/2560-76-0x0000000000280000-0x0000000000A28000-memory.dmp

memory/2560-61-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-59-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-57-0x0000000075DE0000-0x0000000075E27000-memory.dmp

memory/2560-54-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-52-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-49-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2776-47-0x00000000021D0000-0x00000000022EB000-memory.dmp

memory/2776-45-0x0000000000850000-0x00000000008E2000-memory.dmp

memory/2560-42-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-39-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2468-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2560-37-0x0000000075DE0000-0x0000000075E27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2776-29-0x0000000000850000-0x00000000008E2000-memory.dmp

memory/2560-28-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2836-77-0x0000000002070000-0x0000000002178000-memory.dmp

memory/2836-78-0x0000000000580000-0x0000000000670000-memory.dmp

memory/2836-79-0x0000000000580000-0x0000000000670000-memory.dmp

memory/2836-81-0x0000000000580000-0x0000000000670000-memory.dmp

memory/2560-85-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/2468-86-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2836-87-0x0000000000150000-0x0000000000156000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4A7C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4A7C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2836-95-0x0000000000580000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\765ead5c-f514-42b6-9a56-51e48c554f1c\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2560-115-0x0000000005480000-0x00000000054C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2468-120-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2316-126-0x00000000002A0000-0x0000000000332000-memory.dmp

memory/2316-123-0x00000000002A0000-0x0000000000332000-memory.dmp

memory/396-131-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\598A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\598A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2412-139-0x00000000048F0000-0x0000000004CE8000-memory.dmp

memory/396-138-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\258A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2560-141-0x0000000000280000-0x0000000000A28000-memory.dmp

memory/2560-142-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-143-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2412-144-0x00000000048F0000-0x0000000004CE8000-memory.dmp

memory/1368-147-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2412-148-0x0000000004CF0000-0x00000000055DB000-memory.dmp

memory/2560-149-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-145-0x0000000075DE0000-0x0000000075E27000-memory.dmp

memory/1368-162-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2412-163-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2560-164-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-166-0x0000000075980000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/2560-173-0x0000000075980000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab60D5.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2016-184-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2560-186-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-187-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-185-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/2560-183-0x0000000075980000-0x0000000075A90000-memory.dmp

memory/2560-176-0x0000000075980000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e117fecff42eeca55e661bd7cf454dd
SHA1 7359c1b18adab9baac2531eb8eb03b375eb0ebc5
SHA256 f91240011975ba308dc46c58b7cd24cddf0140283382fa2da34d68ea7a40c849
SHA512 9d6b49f08374e94948761c049cb5a36f788fec3389f046e5ab3c0b84c0ccdc7b9a38af5ddc858c1f4bb2f4bf79e55d4c4b397cccbd489165b77b369660ce9264

memory/2560-172-0x0000000075980000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e0588e2b2e8bc1784c7107058c7558cb
SHA1 cf471bbf888de7b6c7cb2ae94381dc5ab623ff59
SHA256 f2b0643174e934b4a43df8f9e94636e01fb9edc19913ee9d3692d5ad0621f7fb
SHA512 4fa6c70e84b845aa0927a8f27940e3c868b334d88b46a9f66363f9cc14f07d36ca4e512239634d208ea77126502cb0d098b5ba5bf65a12bb8a793c21bc475400

memory/2560-169-0x0000000075980000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 62912e7da7c7e03a73f43c50b3c70979
SHA1 a1514787753be0f3d9fd60e253fcdd4fd9805aea
SHA256 ca4e99a2fea0b8c21bcf8dd8333d3df6ff75727db82cb0efd86eefe09b9f2d85
SHA512 a24bcc548811162591a8c7c3379ac8536f2928de2a250f9ef867d201798621872aa961f4abc3449fa24ce78f3fbf9f88b92c2f63db99d1ef455da5fdf4b3bb75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f99ba2ef1fecd19b702f51ca216bcbb7
SHA1 a9c71a4b378e3e200e9f9e1c68dea34a203e0ee5
SHA256 27ae0ac9eaeb292b5fad47f7cfc4016586db1ff8850a72329fcad64c0566ab40
SHA512 2fd1fdf93cc052e4a59298b71ce821aad6a00d2c1969b0d979a09a016db8b4cbf765d5a1f0c346b361cd5384b50ea9d74fff1d41b137d11cab51a2f2523564d0

memory/2016-165-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2560-188-0x0000000005480000-0x00000000054C0000-memory.dmp

memory/396-190-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2412-191-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\598A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2560-194-0x0000000002790000-0x00000000027AC000-memory.dmp

memory/396-196-0x0000000000400000-0x0000000000537000-memory.dmp

memory/396-195-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-198-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2120-204-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-210-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/2560-213-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/396-212-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2560-228-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/2560-226-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/2560-224-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/2560-222-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/2560-220-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/2560-218-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/2120-216-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/2560-215-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/2560-208-0x0000000002790000-0x00000000027A5000-memory.dmp

memory/2120-207-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-206-0x0000000002790000-0x00000000027A5000-memory.dmp

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

memory/2120-202-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2120-201-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2120-200-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2120-199-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2120-197-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\TarDE11.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\598A.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 5c8e85a496491e9e7f4c5610029ad4d1
SHA1 27bf392543ce2d5729e085c5db914f371bf1212b
SHA256 578d10158e9f9865c7d244a536617d20add8a877c66f69dff766fceace3b6d77
SHA512 c7ce621e4b17945f93e8dab0337bbd10ad6dc97ba704b90d4fcf8e3d11d1805aed50687d96b99d90fa8740a2b906a8b40934c3a8199fabee459cc3688d053db9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 a1ad93f61113e492efa33579feef1d63
SHA1 9516b2306478154b6a3ee83b37e7d03daee23098
SHA256 7dd0973e29aac24a95fa30783a31a2c3bcd26c296f05f300dc111f6521101239
SHA512 f95260cab0b12a84f2c4ac47d58de984551145a9cbf6f28acec2378481a5706773f16b142a529ccf01848d42292396c4691231af744f82fbaa6bcb3ba6f76ebb

C:\Windows\rss\csrss.exe

MD5 2cea17f330d866200fdf17d5c994e18c
SHA1 608a69569522c165a76ffe4cee36041f8ac0ac08
SHA256 8b6dab7877adfe5f5437d478fbc038b2432780ad84925d7ea4d7f8b15a106e67
SHA512 446e179b913596a5ed5bdb67e7798b134719bce435df79272d0d05f24a8e620fdea181e89afdfb09717ff367d60cf86474ddc2f0a4983553f4fbff74485d0978

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 4afe1fb3fda9f03e5ff5abb28e802d50
SHA1 c4c5f1c41e1b6f9955393867a3037227fc324509
SHA256 9faa27b56f58b6afe3d2a117540e5fd5f4073b92c0646ac4d03f1f36c417d643
SHA512 aa791362a74d885ead0b3252dc874b32235eac16521286fcacb3b6bf12a76dedf5b4e205c4c3041c95ccd67f8c327979a9d7555df073a6f2452c824e19e082ed

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 4afe1fb3fda9f03e5ff5abb28e802d50
SHA1 c4c5f1c41e1b6f9955393867a3037227fc324509
SHA256 9faa27b56f58b6afe3d2a117540e5fd5f4073b92c0646ac4d03f1f36c417d643
SHA512 aa791362a74d885ead0b3252dc874b32235eac16521286fcacb3b6bf12a76dedf5b4e205c4c3041c95ccd67f8c327979a9d7555df073a6f2452c824e19e082ed

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 1be58c4386af214e23fd0b69a30fba0c
SHA1 e039ba39e4839e3811c3a7ebb6ea5a212a3b9f44
SHA256 5e2d16440da615b4f79cb26749bdeddb7bba176005fd709009955d733d19ecaf
SHA512 592bf5966903065f3511b9318cd959745f0d957a2ca86ba8c0b153b8d10fd3439ccc83b8275a4ca2088247afbf84f6195ffa409778e5781d6c16b9f96fd58f3b

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 a62a9d88309b5ab5f93b8421264625d4
SHA1 7eacaabfd90218abdd960f8e654f1b014cf2c041
SHA256 6495dee8b543e422e8b8532be40bd5b573a250d882c2fc515c29dd4e8a304161
SHA512 b91f46c6139034cee3b2a73598fcc17071aa88a2cb6fbdc2ba24b484bda47875368ddb1b9ced82537d8c956c4b25b2529c4974a6203d2b98018fcc38fcf2422f

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 549c507534224ca632ee2d4a0e291732
SHA1 95baa4be0e2fe53d8e6f02ee74e86d73c459e613
SHA256 245c7f5db1cc4dae389d184dfdf390be83dca3a3278664e6ffc954bb5f2d2f57
SHA512 c2e52efa31a997e3bcb1929009160378c93c91f3137eb9757cd748049b666ad5236f81e4228b511e12cdc555c416fad45f5a12be82b443eac26187b3a5437101

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 a94af25447916bfa5277c778959f8c09
SHA1 af9116cc4160c6aadec9204e21bf1b961e1126b8
SHA256 8d01fda2072e4bab44ad53d771bcccfdc5857387d885e0687dc726f7ce6d3ec4
SHA512 201af07f61f72bac524cd8aadf34cc8a05ea301c0c6b153ee242910ee1012e247c919ea3e3d6278bc05cdf0e6c98ad5cbcf0f695e83a7b0926d18fe5e6a1c0e6

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 549c507534224ca632ee2d4a0e291732
SHA1 95baa4be0e2fe53d8e6f02ee74e86d73c459e613
SHA256 245c7f5db1cc4dae389d184dfdf390be83dca3a3278664e6ffc954bb5f2d2f57
SHA512 c2e52efa31a997e3bcb1929009160378c93c91f3137eb9757cd748049b666ad5236f81e4228b511e12cdc555c416fad45f5a12be82b443eac26187b3a5437101

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 5c8e85a496491e9e7f4c5610029ad4d1
SHA1 27bf392543ce2d5729e085c5db914f371bf1212b
SHA256 578d10158e9f9865c7d244a536617d20add8a877c66f69dff766fceace3b6d77
SHA512 c7ce621e4b17945f93e8dab0337bbd10ad6dc97ba704b90d4fcf8e3d11d1805aed50687d96b99d90fa8740a2b906a8b40934c3a8199fabee459cc3688d053db9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47aee42b1cfb248fb2071c64dcf336bb
SHA1 45434066a8ae7aa09a9c52d1166405697428ae29
SHA256 29b4357a1d58081205060687671de2f86993ec0706bc89016ab2f92f8f5d3abc
SHA512 e6b82607eba38728999e8f6b7cba7a8b1ae7bc736f773d41818d27e2d7ab2c70eeb9cbf1eeda142d898a2c519013e4c6c3e5c64e2025768b6725a846507d179a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bebf724794192028b7b017ded1eef80f
SHA1 9b5d15cadf81b92e49484a698c71b66c92d55e84
SHA256 130286a9df4a1c59ddff54d9087937c6d0ff125759bd4895289c19f5156fb7ab
SHA512 4a47f26e924102f3c41f9d55826c4b68ab7ba0b53e5e8d531e09126942bd28260fad041fcca216e8cf881076e67ffc0938774c319d4b30bf06951e31f4c13540

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 5c84e97d351c218f36e5f8ed6b93963d
SHA1 228e1e09cb250ebdce313e165f5257b23c6b83aa
SHA256 fe4aa4f4b18785c8e167db4e937523c36399c7cefbd62abbd44f04da6e9c069f
SHA512 62ba8912c8486ba9eb2f2874066e624bc2e6a9b09fd17a47a6f3cb1ede37628285e7dd6cf1f786d570ac17e8c0d0200f6bd8b119de1239106b25deef50d93113

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 5c84e97d351c218f36e5f8ed6b93963d
SHA1 228e1e09cb250ebdce313e165f5257b23c6b83aa
SHA256 fe4aa4f4b18785c8e167db4e937523c36399c7cefbd62abbd44f04da6e9c069f
SHA512 62ba8912c8486ba9eb2f2874066e624bc2e6a9b09fd17a47a6f3cb1ede37628285e7dd6cf1f786d570ac17e8c0d0200f6bd8b119de1239106b25deef50d93113

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-17 01:31

Reported

2023-10-17 01:35

Platform

win10v2004-20230915-en

Max time kernel

156s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\74AF.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\74AF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\74AF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\974D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\64B0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\59a6764c-b833-4d29-906a-8603da4ce8fe\\64B0.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\64B0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\74AF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74AF.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9C5F.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9C5F.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9C5F.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C5F.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\74AF.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 3172 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 3172 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 3172 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\74AF.exe
PID 3172 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\74AF.exe
PID 3172 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\74AF.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 2248 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Users\Admin\AppData\Local\Temp\64B0.exe
PID 3172 wrote to memory of 3992 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3172 wrote to memory of 3992 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3172 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\Temp\9374.exe
PID 3172 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\Temp\9374.exe
PID 3172 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\Temp\9374.exe
PID 3992 wrote to memory of 1508 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3992 wrote to memory of 1508 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3992 wrote to memory of 1508 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3172 wrote to memory of 1120 N/A N/A C:\Users\Admin\AppData\Local\Temp\974D.exe
PID 3172 wrote to memory of 1120 N/A N/A C:\Users\Admin\AppData\Local\Temp\974D.exe
PID 3172 wrote to memory of 1120 N/A N/A C:\Users\Admin\AppData\Local\Temp\974D.exe
PID 3172 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C5F.exe
PID 3172 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C5F.exe
PID 3172 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C5F.exe
PID 1120 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\974D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1120 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\974D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1120 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\974D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3172 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\A317.exe
PID 3172 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\A317.exe
PID 3172 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\A317.exe
PID 3172 wrote to memory of 1636 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 1636 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 1636 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 1636 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 4592 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3172 wrote to memory of 2948 N/A N/A C:\Windows\explorer.exe
PID 3172 wrote to memory of 2948 N/A N/A C:\Windows\explorer.exe
PID 3172 wrote to memory of 2948 N/A N/A C:\Windows\explorer.exe
PID 4132 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4132 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4132 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Windows\SysWOW64\icacls.exe
PID 4552 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Windows\SysWOW64\icacls.exe
PID 4552 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\64B0.exe C:\Windows\SysWOW64\icacls.exe
PID 4132 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4132 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4132 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4132 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\64B0.exe

C:\Users\Admin\AppData\Local\Temp\64B0.exe

C:\Users\Admin\AppData\Local\Temp\74AF.exe

C:\Users\Admin\AppData\Local\Temp\74AF.exe

C:\Users\Admin\AppData\Local\Temp\64B0.exe

C:\Users\Admin\AppData\Local\Temp\64B0.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\91CD.dll

C:\Users\Admin\AppData\Local\Temp\9374.exe

C:\Users\Admin\AppData\Local\Temp\9374.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\91CD.dll

C:\Users\Admin\AppData\Local\Temp\974D.exe

C:\Users\Admin\AppData\Local\Temp\974D.exe

C:\Users\Admin\AppData\Local\Temp\9C5F.exe

C:\Users\Admin\AppData\Local\Temp\9C5F.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\A317.exe

C:\Users\Admin\AppData\Local\Temp\A317.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\59a6764c-b833-4d29-906a-8603da4ce8fe" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\64B0.exe

"C:\Users\Admin\AppData\Local\Temp\64B0.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3ACD.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\64B0.exe

"C:\Users\Admin\AppData\Local\Temp\64B0.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3124 -ip 3124

C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ghmVbzDaG" /SC once /ST 00:23:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\6416.exe

C:\Users\Admin\AppData\Local\Temp\6416.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 mikolyda.beget.tech udp
RU 91.106.207.50:80 mikolyda.beget.tech tcp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 hoffmanlevi.space udp
RU 45.130.41.106:443 hoffmanlevi.space tcp
US 8.8.8.8:53 106.41.130.45.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 147.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
MX 187.204.8.60:80 wirtshauspost.at tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
MX 187.204.8.60:80 wirtshauspost.at tcp
US 8.8.8.8:53 60.8.204.187.in-addr.arpa udp
US 95.214.27.254:80 95.214.27.254 tcp
MX 187.204.8.60:80 wirtshauspost.at tcp
US 8.8.8.8:53 254.27.214.95.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
GB 145.239.200.147:30225 tcp
MX 187.204.8.60:80 wirtshauspost.at tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 147.200.239.145.in-addr.arpa udp
MX 187.204.8.60:80 wirtshauspost.at tcp
MX 187.204.8.60:80 wirtshauspost.at tcp
MX 187.204.8.60:80 wirtshauspost.at tcp
MX 187.204.8.60:80 wirtshauspost.at tcp
MX 187.204.8.60:80 wirtshauspost.at tcp
MX 187.204.8.60:80 wirtshauspost.at tcp
US 8.8.8.8:53 rummygoplay.in udp
IN 103.251.94.112:443 rummygoplay.in tcp
US 8.8.8.8:53 112.94.251.103.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
MX 187.204.8.60:80 wirtshauspost.at tcp
MX 187.204.8.60:80 wirtshauspost.at tcp
MX 187.204.8.60:80 wirtshauspost.at tcp

Files

memory/5072-1-0x0000000000800000-0x0000000000900000-memory.dmp

memory/5072-2-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/5072-3-0x0000000002520000-0x000000000252B000-memory.dmp

memory/3172-4-0x00000000012B0000-0x00000000012C6000-memory.dmp

memory/5072-5-0x0000000000400000-0x00000000007CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64B0.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\64B0.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2248-20-0x00000000009B0000-0x0000000000A4E000-memory.dmp

memory/2248-21-0x0000000002620000-0x000000000273B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\74AF.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\74AF.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/4244-25-0x0000000000880000-0x0000000001028000-memory.dmp

memory/4552-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64B0.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/4244-28-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4244-32-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4244-33-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4244-30-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4244-34-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4244-35-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4552-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91CD.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/4552-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4244-36-0x0000000076580000-0x0000000076670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9374.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\9374.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/4244-43-0x00000000777E4000-0x00000000777E6000-memory.dmp

memory/4552-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91CD.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

C:\Users\Admin\AppData\Local\Temp\974D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\974D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1508-55-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/1508-54-0x00000000022E0000-0x00000000022E6000-memory.dmp

memory/4244-57-0x0000000000880000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\9C5F.exe

MD5 8ba58058114c2249080990d19707cfd2
SHA1 f1aeee66056df1ee8f8a0a09519801eaa1ec1f72
SHA256 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4
SHA512 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31

memory/4244-67-0x0000000005A70000-0x0000000005B02000-memory.dmp

memory/4244-68-0x0000000005C10000-0x0000000005CAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C5F.exe

MD5 8ba58058114c2249080990d19707cfd2
SHA1 f1aeee66056df1ee8f8a0a09519801eaa1ec1f72
SHA256 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4
SHA512 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31

memory/4244-62-0x0000000005F80000-0x0000000006524000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1508-72-0x0000000002630000-0x0000000002738000-memory.dmp

memory/4244-73-0x0000000005A30000-0x0000000005A3A000-memory.dmp

memory/4244-75-0x0000000000880000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A317.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\A317.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1508-81-0x0000000002740000-0x0000000002830000-memory.dmp

memory/1508-82-0x0000000002740000-0x0000000002830000-memory.dmp

memory/1508-87-0x0000000002740000-0x0000000002830000-memory.dmp

memory/4244-88-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4244-89-0x0000000076580000-0x0000000076670000-memory.dmp

memory/1636-85-0x0000000000680000-0x00000000006EB000-memory.dmp

memory/4244-86-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4244-84-0x0000000076580000-0x0000000076670000-memory.dmp

memory/1636-95-0x00000000006F0000-0x0000000000770000-memory.dmp

memory/2948-93-0x0000000000C00000-0x0000000000C0C000-memory.dmp

memory/1636-90-0x0000000000680000-0x00000000006EB000-memory.dmp

memory/4244-97-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4244-99-0x0000000076580000-0x0000000076670000-memory.dmp

memory/1872-100-0x0000000004C40000-0x0000000005047000-memory.dmp

memory/4180-102-0x0000000000810000-0x000000000081B000-memory.dmp

memory/4180-101-0x0000000000890000-0x0000000000990000-memory.dmp

memory/4180-103-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2948-98-0x0000000000C00000-0x0000000000C0C000-memory.dmp

memory/1872-104-0x0000000005150000-0x0000000005A3B000-memory.dmp

memory/1508-111-0x0000000002740000-0x0000000002830000-memory.dmp

memory/1872-112-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3172-115-0x0000000002EF0000-0x0000000002F06000-memory.dmp

memory/4180-118-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1508-119-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/4244-125-0x0000000005DB0000-0x0000000005DCC000-memory.dmp

memory/4244-127-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-128-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-130-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/1872-126-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4244-132-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-133-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4244-135-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-139-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-137-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-141-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-143-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-145-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-147-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-149-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4244-151-0x0000000005DB0000-0x0000000005DC5000-memory.dmp

memory/4552-152-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\59a6764c-b833-4d29-906a-8603da4ce8fe\64B0.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1872-162-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1636-163-0x0000000000680000-0x00000000006EB000-memory.dmp

C:\Users\Admin\AppData\Roaming\gvuhcdt

MD5 8ba58058114c2249080990d19707cfd2
SHA1 f1aeee66056df1ee8f8a0a09519801eaa1ec1f72
SHA256 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4
SHA512 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31

memory/1636-167-0x00000000006F0000-0x0000000000770000-memory.dmp

memory/1872-170-0x0000000004C40000-0x0000000005047000-memory.dmp

memory/4016-172-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4884-173-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4016-176-0x0000000074200000-0x00000000749B0000-memory.dmp

memory/4244-177-0x0000000005DF0000-0x0000000005E00000-memory.dmp

memory/4016-178-0x00000000076F0000-0x0000000007700000-memory.dmp

memory/4884-179-0x0000000074200000-0x00000000749B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64B0.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/4884-181-0x00000000075C0000-0x00000000075D0000-memory.dmp

memory/4552-180-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4244-188-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4884-198-0x0000000008500000-0x0000000008B18000-memory.dmp

memory/4244-211-0x0000000000880000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/4884-212-0x0000000007600000-0x0000000007612000-memory.dmp

memory/4884-215-0x0000000007770000-0x000000000787A000-memory.dmp

memory/1636-216-0x0000000000680000-0x00000000006EB000-memory.dmp

memory/4884-222-0x0000000007660000-0x000000000769C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 62962daa1b19bbcc2db10b7bfd531ea6
SHA1 d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA256 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA512 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

memory/4884-231-0x00000000076C0000-0x000000000770C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS3ACD.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\7zS3ACD.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/788-250-0x0000000002490000-0x000000000252D000-memory.dmp

memory/3124-254-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3124-253-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64B0.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/3124-256-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1872-259-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

memory/4884-262-0x0000000007F50000-0x0000000007FB6000-memory.dmp

memory/4480-263-0x00000000000F0000-0x00000000007DF000-memory.dmp

memory/4480-264-0x0000000010000000-0x000000001057B000-memory.dmp

memory/4016-267-0x0000000074200000-0x00000000749B0000-memory.dmp

memory/4016-268-0x00000000076F0000-0x0000000007700000-memory.dmp

memory/4884-269-0x0000000074200000-0x00000000749B0000-memory.dmp

memory/3380-270-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

memory/3380-271-0x0000000074200000-0x00000000749B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pyh4iyfd.fuh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\6416.exe

MD5 49c3a1783950fa165b770f6cf5cc0619
SHA1 47704a2a06c92c1ea3a006e515548aa00eac8d02
SHA256 4290c815db722f3b8accc02b6ea6f3a86f2851181533b72748ac4143ffd1edc4
SHA512 92d670d3a3e23e64f34f2b65179006d5ab050751344f256ccff692b447991a189b91a28638060eee9c5ab5bf43694ae20dffb70e16f01ac5b9a30d1b1dc564b7

C:\Users\Admin\AppData\Local\Temp\6416.exe

MD5 49c3a1783950fa165b770f6cf5cc0619
SHA1 47704a2a06c92c1ea3a006e515548aa00eac8d02
SHA256 4290c815db722f3b8accc02b6ea6f3a86f2851181533b72748ac4143ffd1edc4
SHA512 92d670d3a3e23e64f34f2b65179006d5ab050751344f256ccff692b447991a189b91a28638060eee9c5ab5bf43694ae20dffb70e16f01ac5b9a30d1b1dc564b7