Malware Analysis Report

2025-01-18 06:23

Sample ID 231017-p35zzsde86
Target 2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3
SHA256 2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3

Threat Level: Known bad

The file 2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan

RedLine payload

SmokeLoader

Glupteba

Amadey

Djvu Ransomware

RedLine

Detected Djvu ransomware

Glupteba payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Deletes itself

Checks BIOS information in registry

Checks computer location settings

Modifies file permissions

Themida packer

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

outlook_win_path

outlook_office_path

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 12:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 12:52

Reported

2023-10-17 12:55

Platform

win10v2004-20230915-en

Max time kernel

178s

Max time network

191s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FA69.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FA69.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FA69.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2AA4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F0B4.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\936b1377-db90-4736-b269-78bb34e35469\\F0B4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F0B4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\FA69.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FA69.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\32E3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\32E3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\32E3.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32E3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FA69.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3136 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 3136 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 3136 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 3136 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA69.exe
PID 3136 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA69.exe
PID 3136 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA69.exe
PID 3136 wrote to memory of 2376 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3136 wrote to memory of 2376 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 1556 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Users\Admin\AppData\Local\Temp\F0B4.exe
PID 3136 wrote to memory of 3628 N/A N/A C:\Users\Admin\AppData\Local\Temp\20D0.exe
PID 3136 wrote to memory of 3628 N/A N/A C:\Users\Admin\AppData\Local\Temp\20D0.exe
PID 3136 wrote to memory of 3628 N/A N/A C:\Users\Admin\AppData\Local\Temp\20D0.exe
PID 2376 wrote to memory of 2276 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2376 wrote to memory of 2276 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2376 wrote to memory of 2276 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3136 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\Temp\2AA4.exe
PID 3136 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\Temp\2AA4.exe
PID 3136 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\Temp\2AA4.exe
PID 3136 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\32E3.exe
PID 3136 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\32E3.exe
PID 3136 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\32E3.exe
PID 1776 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2AA4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1776 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2AA4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1776 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2AA4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 5112 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 4960 N/A N/A C:\Users\Admin\AppData\Local\Temp\39F8.exe
PID 3136 wrote to memory of 4960 N/A N/A C:\Users\Admin\AppData\Local\Temp\39F8.exe
PID 3136 wrote to memory of 4960 N/A N/A C:\Users\Admin\AppData\Local\Temp\39F8.exe
PID 3136 wrote to memory of 1612 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3136 wrote to memory of 1612 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1612 wrote to memory of 560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1612 wrote to memory of 560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1612 wrote to memory of 560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3136 wrote to memory of 4320 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3136 wrote to memory of 4320 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3136 wrote to memory of 4320 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3136 wrote to memory of 4320 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3136 wrote to memory of 2524 N/A N/A C:\Windows\explorer.exe
PID 3136 wrote to memory of 2524 N/A N/A C:\Windows\explorer.exe
PID 3136 wrote to memory of 2524 N/A N/A C:\Windows\explorer.exe
PID 816 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Windows\SysWOW64\icacls.exe
PID 816 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Windows\SysWOW64\icacls.exe
PID 816 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\F0B4.exe C:\Windows\SysWOW64\icacls.exe
PID 2388 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3.exe

"C:\Users\Admin\AppData\Local\Temp\2159e74387f64f331878f65c567cc7e96db51032407d24493e2d24eb382ac7a3.exe"

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

C:\Users\Admin\AppData\Local\Temp\FA69.exe

C:\Users\Admin\AppData\Local\Temp\FA69.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F5A.dll

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

C:\Users\Admin\AppData\Local\Temp\20D0.exe

C:\Users\Admin\AppData\Local\Temp\20D0.exe

C:\Users\Admin\AppData\Local\Temp\2AA4.exe

C:\Users\Admin\AppData\Local\Temp\2AA4.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F5A.dll

C:\Users\Admin\AppData\Local\Temp\32E3.exe

C:\Users\Admin\AppData\Local\Temp\32E3.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\39F8.exe

C:\Users\Admin\AppData\Local\Temp\39F8.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3E00.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3E00.dll

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\936b1377-db90-4736-b269-78bb34e35469" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

"C:\Users\Admin\AppData\Local\Temp\F0B4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

"C:\Users\Admin\AppData\Local\Temp\F0B4.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3996 -ip 3996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
US 8.8.8.8:53 67.230.53.211.in-addr.arpa udp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
KR 211.53.230.67:80 wirtshauspost.at tcp
GB 145.239.200.147:30225 tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
GB 145.239.200.147:30225 tcp

Files

memory/4360-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/4360-2-0x00000000022F0000-0x00000000022FB000-memory.dmp

memory/4360-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3136-4-0x0000000007780000-0x0000000007796000-memory.dmp

memory/4360-5-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/4360-8-0x00000000022F0000-0x00000000022FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/1556-20-0x0000000002200000-0x000000000229B000-memory.dmp

memory/1556-21-0x00000000024A0000-0x00000000025BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA69.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\FA69.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/3948-26-0x0000000000CD0000-0x0000000001478000-memory.dmp

memory/1556-28-0x0000000002200000-0x000000000229B000-memory.dmp

memory/816-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/816-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-32-0x0000000076580000-0x0000000076670000-memory.dmp

memory/816-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-35-0x0000000076580000-0x0000000076670000-memory.dmp

memory/3948-36-0x0000000076580000-0x0000000076670000-memory.dmp

memory/3948-33-0x0000000076580000-0x0000000076670000-memory.dmp

memory/3948-38-0x0000000076580000-0x0000000076670000-memory.dmp

memory/3948-39-0x0000000076580000-0x0000000076670000-memory.dmp

memory/816-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-37-0x0000000076580000-0x0000000076670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/3948-42-0x0000000076580000-0x0000000076670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20D0.exe

MD5 0eb209073c46b31d582a961d47f81dc8
SHA1 390731f05458610d99cd5bb796849bca69107d42
SHA256 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a
SHA512 e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f

C:\Users\Admin\AppData\Local\Temp\20D0.exe

MD5 0eb209073c46b31d582a961d47f81dc8
SHA1 390731f05458610d99cd5bb796849bca69107d42
SHA256 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a
SHA512 e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f

memory/3948-46-0x0000000076F04000-0x0000000076F06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5A.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3948-49-0x0000000000CD0000-0x0000000001478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2AA4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2AA4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F5A.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2276-58-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/2276-59-0x00000000010B0000-0x00000000010B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\32E3.exe

MD5 581805897c9591a2f5d7a431f10775d6
SHA1 6f30ae97bdd9e405b9b6b5d0b0d5aa3821c77d66
SHA256 7370a99b782b61188924ed76a21ac6448a47c371f47f61675dd56d389e4f2d54
SHA512 403ea0e18ea3472fc0a89342f810d9f24b10c1b610478f86394d87fa00935aa9ec56c12d16698f404966fa8b849d8dd215460f8899915e905242cd4f014b3509

memory/3948-74-0x0000000000CD0000-0x0000000001478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32E3.exe

MD5 581805897c9591a2f5d7a431f10775d6
SHA1 6f30ae97bdd9e405b9b6b5d0b0d5aa3821c77d66
SHA256 7370a99b782b61188924ed76a21ac6448a47c371f47f61675dd56d389e4f2d54
SHA512 403ea0e18ea3472fc0a89342f810d9f24b10c1b610478f86394d87fa00935aa9ec56c12d16698f404966fa8b849d8dd215460f8899915e905242cd4f014b3509

memory/1584-75-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/3948-76-0x0000000006120000-0x00000000066C4000-memory.dmp

memory/1584-77-0x0000000000810000-0x000000000081B000-memory.dmp

memory/3948-78-0x0000000005A50000-0x0000000005AE2000-memory.dmp

memory/3948-81-0x0000000076580000-0x0000000076670000-memory.dmp

memory/3948-80-0x0000000005D10000-0x0000000005DAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39F8.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\39F8.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1584-79-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3948-87-0x0000000005B10000-0x0000000005B1A000-memory.dmp

memory/2276-88-0x0000000002DD0000-0x0000000002ED8000-memory.dmp

memory/3948-89-0x0000000076580000-0x0000000076670000-memory.dmp

memory/3948-92-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4320-97-0x00000000006A0000-0x000000000070B000-memory.dmp

memory/3948-99-0x0000000076580000-0x0000000076670000-memory.dmp

memory/3948-98-0x0000000076580000-0x0000000076670000-memory.dmp

memory/2276-100-0x0000000002EE0000-0x0000000002FD0000-memory.dmp

memory/3948-101-0x0000000076580000-0x0000000076670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E00.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

C:\Users\Admin\AppData\Local\Temp\3E00.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/4320-104-0x0000000000710000-0x0000000000790000-memory.dmp

memory/2276-103-0x0000000002EE0000-0x0000000002FD0000-memory.dmp

memory/560-107-0x0000000010000000-0x00000000101E3000-memory.dmp

memory/4320-106-0x00000000006A0000-0x000000000070B000-memory.dmp

memory/2276-110-0x0000000002EE0000-0x0000000002FD0000-memory.dmp

memory/3948-108-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4960-115-0x0000000004C30000-0x000000000502D000-memory.dmp

memory/4960-119-0x0000000005130000-0x0000000005A1B000-memory.dmp

memory/2524-114-0x0000000000540000-0x000000000054C000-memory.dmp

memory/816-124-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-128-0x00000000007E0000-0x00000000007E6000-memory.dmp

memory/2524-142-0x0000000000540000-0x000000000054C000-memory.dmp

memory/3136-143-0x00000000026A0000-0x00000000026B6000-memory.dmp

memory/2524-138-0x0000000000550000-0x0000000000557000-memory.dmp

memory/1584-145-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/4960-147-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2276-148-0x0000000002EE0000-0x0000000002FD0000-memory.dmp

memory/4320-149-0x00000000006A0000-0x000000000070B000-memory.dmp

memory/560-150-0x00000000023B0000-0x00000000024CB000-memory.dmp

memory/560-152-0x00000000024D0000-0x00000000025CF000-memory.dmp

memory/560-155-0x00000000024D0000-0x00000000025CF000-memory.dmp

memory/560-156-0x00000000024D0000-0x00000000025CF000-memory.dmp

C:\Users\Admin\AppData\Local\936b1377-db90-4736-b269-78bb34e35469\F0B4.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/816-159-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/3948-162-0x0000000005CE0000-0x0000000005CFC000-memory.dmp

memory/4960-158-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4080-164-0x0000000002140000-0x00000000021D3000-memory.dmp

memory/3948-165-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3948-170-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3948-168-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/3948-175-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3948-178-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3996-177-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-182-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3996-180-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-184-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3996-174-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-186-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3948-166-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3948-188-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3948-190-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3948-192-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/3948-194-0x0000000005CE0000-0x0000000005CF5000-memory.dmp

memory/2864-195-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2864-196-0x0000000073220000-0x00000000739D0000-memory.dmp

memory/3948-197-0x0000000005A20000-0x0000000005A30000-memory.dmp

memory/4960-198-0x0000000004C30000-0x000000000502D000-memory.dmp

memory/2524-199-0x0000000000540000-0x000000000054C000-memory.dmp

memory/4960-200-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4960-203-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3948-207-0x0000000000CD0000-0x0000000001478000-memory.dmp

memory/2864-206-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\suerijg

MD5 581805897c9591a2f5d7a431f10775d6
SHA1 6f30ae97bdd9e405b9b6b5d0b0d5aa3821c77d66
SHA256 7370a99b782b61188924ed76a21ac6448a47c371f47f61675dd56d389e4f2d54
SHA512 403ea0e18ea3472fc0a89342f810d9f24b10c1b610478f86394d87fa00935aa9ec56c12d16698f404966fa8b849d8dd215460f8899915e905242cd4f014b3509

memory/4944-214-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3948-216-0x0000000076580000-0x0000000076670000-memory.dmp

memory/4944-217-0x0000000073220000-0x00000000739D0000-memory.dmp

memory/4944-218-0x0000000007090000-0x00000000070A0000-memory.dmp

memory/2864-219-0x0000000073220000-0x00000000739D0000-memory.dmp

memory/2864-222-0x0000000007CE0000-0x0000000007CF0000-memory.dmp

memory/2864-223-0x00000000089D0000-0x0000000008FE8000-memory.dmp

memory/2864-224-0x0000000008420000-0x0000000008432000-memory.dmp

memory/2864-225-0x0000000008550000-0x000000000865A000-memory.dmp

memory/2864-226-0x0000000008480000-0x00000000084BC000-memory.dmp

memory/4944-227-0x0000000073220000-0x00000000739D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zzq1ler3.roj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82