Malware Analysis Report

2025-01-18 06:23

Sample ID 231017-cs4b7agg7t
Target 779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
SHA256 779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64

Threat Level: Known bad

The file 779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan

Amadey

Glupteba

Glupteba payload

RedLine payload

RedLine

Djvu Ransomware

SmokeLoader

Detected Djvu ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Themida packer

Checks computer location settings

Deletes itself

Loads dropped DLL

Checks BIOS information in registry

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 02:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 02:21

Reported

2023-10-17 02:25

Platform

win10v2004-20230915-en

Max time kernel

189s

Max time network

216s

Command Line

"C:\Users\Admin\AppData\Local\Temp\779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5701.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5701.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5701.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BD9D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5395.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7a73ab1d-ba21-49ed-a4ff-184860623428\\5395.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5395.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5701.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5701.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5395.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D721.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D721.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D721.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D721.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5701.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3156 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3156 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3156 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\5701.exe
PID 3156 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\5701.exe
PID 3156 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\5701.exe
PID 3156 wrote to memory of 3828 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3156 wrote to memory of 3828 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3876 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Users\Admin\AppData\Local\Temp\5395.exe
PID 3828 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3828 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3828 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3156 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe
PID 3156 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe
PID 3156 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe
PID 3156 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD9D.exe
PID 3156 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD9D.exe
PID 3156 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD9D.exe
PID 3156 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\D721.exe
PID 3156 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\D721.exe
PID 3156 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\D721.exe
PID 3156 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\E73F.exe
PID 3156 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\E73F.exe
PID 3156 wrote to memory of 2852 N/A N/A C:\Users\Admin\AppData\Local\Temp\E73F.exe
PID 3156 wrote to memory of 1296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 1296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 1296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 1296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 440 N/A N/A C:\Windows\explorer.exe
PID 3156 wrote to memory of 440 N/A N/A C:\Windows\explorer.exe
PID 3156 wrote to memory of 440 N/A N/A C:\Windows\explorer.exe
PID 1684 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\BD9D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1684 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\BD9D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1684 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\BD9D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3988 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3864 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3864 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3604 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\95B1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3568 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\5395.exe C:\Windows\SysWOW64\icacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64.exe

"C:\Users\Admin\AppData\Local\Temp\779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64.exe"

C:\Users\Admin\AppData\Local\Temp\5395.exe

C:\Users\Admin\AppData\Local\Temp\5395.exe

C:\Users\Admin\AppData\Local\Temp\5701.exe

C:\Users\Admin\AppData\Local\Temp\5701.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\83EE.dll

C:\Users\Admin\AppData\Local\Temp\5395.exe

C:\Users\Admin\AppData\Local\Temp\5395.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\83EE.dll

C:\Users\Admin\AppData\Local\Temp\95B1.exe

C:\Users\Admin\AppData\Local\Temp\95B1.exe

C:\Users\Admin\AppData\Local\Temp\BD9D.exe

C:\Users\Admin\AppData\Local\Temp\BD9D.exe

C:\Users\Admin\AppData\Local\Temp\D721.exe

C:\Users\Admin\AppData\Local\Temp\D721.exe

C:\Users\Admin\AppData\Local\Temp\E73F.exe

C:\Users\Admin\AppData\Local\Temp\E73F.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7a73ab1d-ba21-49ed-a4ff-184860623428" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\5395.exe

"C:\Users\Admin\AppData\Local\Temp\5395.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5395.exe

"C:\Users\Admin\AppData\Local\Temp\5395.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2812 -ip 2812

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
GB 145.239.200.147:30225 tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 147.200.239.145.in-addr.arpa udp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 138.169.188.196.in-addr.arpa udp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
ET 196.188.169.138:80 wirtshauspost.at tcp
ET 196.188.169.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 rummygoplay.in udp
IN 103.251.94.112:443 rummygoplay.in tcp
US 8.8.8.8:53 112.94.251.103.in-addr.arpa udp

Files

memory/3336-1-0x0000000000B30000-0x0000000000C30000-memory.dmp

memory/3336-2-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3336-3-0x0000000002510000-0x000000000251B000-memory.dmp

memory/3156-5-0x0000000002B70000-0x0000000002B86000-memory.dmp

memory/3336-6-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3156-12-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-13-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-15-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-16-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-19-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-17-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-21-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-23-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-24-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-25-0x00000000021F0000-0x0000000002200000-memory.dmp

memory/3156-26-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-27-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-28-0x00000000021F0000-0x0000000002200000-memory.dmp

memory/3156-29-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-33-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-35-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-31-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-37-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-38-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-39-0x0000000002200000-0x0000000002210000-memory.dmp

memory/3156-40-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-43-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-42-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-41-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-44-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-46-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-48-0x0000000002630000-0x0000000002640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5395.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\5395.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/3876-58-0x00000000024B0000-0x0000000002549000-memory.dmp

memory/3876-59-0x00000000026B0000-0x00000000027CB000-memory.dmp

memory/3876-60-0x00000000024B0000-0x0000000002549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5701.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\5701.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/1528-64-0x00000000000C0000-0x0000000000868000-memory.dmp

memory/3568-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3568-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1528-70-0x0000000075E60000-0x0000000075F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83EE.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

C:\Users\Admin\AppData\Local\Temp\5395.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1528-71-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/1528-72-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/3568-73-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1528-75-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/1528-76-0x0000000075E60000-0x0000000075F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83EE.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/1528-74-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/1528-79-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/1528-80-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/1528-81-0x00000000000C0000-0x0000000000868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\95B1.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/1528-85-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/1528-86-0x0000000075E60000-0x0000000075F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\95B1.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/1528-92-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/1528-98-0x00000000778C4000-0x00000000778C6000-memory.dmp

memory/1856-101-0x0000000001F10000-0x0000000001F16000-memory.dmp

memory/1856-99-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/1528-103-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/1528-104-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/1528-105-0x0000000075E60000-0x0000000075F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD9D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\BD9D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1528-106-0x0000000075E60000-0x0000000075F50000-memory.dmp

memory/3568-107-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1528-109-0x0000000075E60000-0x0000000075F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D721.exe

MD5 8ba58058114c2249080990d19707cfd2
SHA1 f1aeee66056df1ee8f8a0a09519801eaa1ec1f72
SHA256 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4
SHA512 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31

C:\Users\Admin\AppData\Local\Temp\D721.exe

MD5 8ba58058114c2249080990d19707cfd2
SHA1 f1aeee66056df1ee8f8a0a09519801eaa1ec1f72
SHA256 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4
SHA512 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31

memory/1856-113-0x0000000002290000-0x0000000002398000-memory.dmp

memory/1856-114-0x00000000023A0000-0x0000000002490000-memory.dmp

memory/1856-116-0x00000000023A0000-0x0000000002490000-memory.dmp

memory/1856-119-0x00000000023A0000-0x0000000002490000-memory.dmp

memory/1856-120-0x00000000023A0000-0x0000000002490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E73F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\E73F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1528-129-0x00000000000C0000-0x0000000000868000-memory.dmp

memory/1296-131-0x0000000000400000-0x0000000000475000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1528-132-0x0000000005CC0000-0x0000000006264000-memory.dmp

memory/1296-130-0x0000000000160000-0x00000000001CB000-memory.dmp

memory/1296-135-0x0000000000160000-0x00000000001CB000-memory.dmp

memory/1528-139-0x0000000005850000-0x00000000058EC000-memory.dmp

memory/440-142-0x0000000000540000-0x000000000054C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1528-138-0x0000000005710000-0x00000000057A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/440-148-0x0000000000160000-0x00000000001CB000-memory.dmp

memory/440-153-0x0000000000540000-0x000000000054C000-memory.dmp

memory/2852-169-0x0000000004B80000-0x0000000004F81000-memory.dmp

memory/1528-149-0x0000000005810000-0x000000000581A000-memory.dmp

memory/2852-170-0x0000000005090000-0x000000000597B000-memory.dmp

memory/2852-172-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3024-175-0x0000000000A30000-0x0000000000A3B000-memory.dmp

memory/3024-176-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3024-177-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

memory/3156-178-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-180-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-181-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-182-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-183-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-184-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-185-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-186-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-187-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-189-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-190-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-188-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-191-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-192-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-193-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3156-195-0x0000000002C90000-0x0000000002CA6000-memory.dmp

memory/3156-194-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3024-198-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1296-201-0x0000000000160000-0x00000000001CB000-memory.dmp

memory/4752-202-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2852-200-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1528-206-0x0000000005A60000-0x0000000005A7C000-memory.dmp

memory/1528-208-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/1528-209-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/1528-214-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/3568-213-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\7a73ab1d-ba21-49ed-a4ff-184860623428\5395.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Roaming\tvbfijb

MD5 8ba58058114c2249080990d19707cfd2
SHA1 f1aeee66056df1ee8f8a0a09519801eaa1ec1f72
SHA256 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4
SHA512 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31

C:\Users\Admin\AppData\Local\Temp\5395.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ocmkhcip.uqj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\5395.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4