Malware Analysis Report

2025-01-18 06:23

Sample ID 231018-s22gysff6y
Target file.exe
SHA256 d3ff42e30d8fab9324a80f08e50445a1fcf72fa2cfe410043785bf4ff4c637ae
Tags
amadey djvu glupteba redline smokeloader pub1 summ backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan logsdiller cloud (tg: @logsdillabot)
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3ff42e30d8fab9324a80f08e50445a1fcf72fa2cfe410043785bf4ff4c637ae

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader pub1 summ backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan logsdiller cloud (tg: @logsdillabot)

Amadey

RedLine

SmokeLoader

Djvu Ransomware

Detected Djvu ransomware

Glupteba

RedLine payload

Glupteba payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Stops running service(s)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Deletes itself

Modifies file permissions

Themida packer

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Creates scheduled task(s)

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

outlook_win_path

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-18 15:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-18 15:38

Reported

2023-10-18 15:42

Platform

win10v2004-20230915-en

Max time kernel

78s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\F3F6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8C.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\F3F6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\F3F6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9C5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F1C2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1ea6db0c-86b1-4817-b6c3-f35a4e8c8683\\F1C2.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F1C2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\F3F6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8C.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F3F6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\427.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\427.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\427.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F3F6.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8C.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ABD.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 1944 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 3176 wrote to memory of 1944 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 3176 wrote to memory of 1944 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 3176 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3F6.exe
PID 3176 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3F6.exe
PID 3176 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3F6.exe
PID 3176 wrote to memory of 1312 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3176 wrote to memory of 1312 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3176 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\F724.exe
PID 3176 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\F724.exe
PID 3176 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\F724.exe
PID 1312 wrote to memory of 4968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1312 wrote to memory of 4968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1312 wrote to memory of 4968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 1944 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Users\Admin\AppData\Local\Temp\F1C2.exe
PID 3176 wrote to memory of 3032 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C.exe
PID 3176 wrote to memory of 3032 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C.exe
PID 3176 wrote to memory of 3032 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C.exe
PID 3176 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\427.exe
PID 3176 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\427.exe
PID 3176 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\427.exe
PID 3176 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C5.exe
PID 3176 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C5.exe
PID 3176 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C5.exe
PID 5108 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\9C5.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 5108 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\9C5.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 5108 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\9C5.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3176 wrote to memory of 1432 N/A N/A C:\Users\Admin\AppData\Local\Temp\14E2.exe
PID 3176 wrote to memory of 1432 N/A N/A C:\Users\Admin\AppData\Local\Temp\14E2.exe
PID 3176 wrote to memory of 1432 N/A N/A C:\Users\Admin\AppData\Local\Temp\14E2.exe
PID 3720 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Windows\SysWOW64\icacls.exe
PID 3720 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Windows\SysWOW64\icacls.exe
PID 3720 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\F1C2.exe C:\Windows\SysWOW64\icacls.exe
PID 3464 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3784 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3784 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3176 wrote to memory of 3768 N/A N/A C:\Users\Admin\AppData\Local\Temp\2ABD.exe
PID 3176 wrote to memory of 3768 N/A N/A C:\Users\Admin\AppData\Local\Temp\2ABD.exe
PID 3176 wrote to memory of 3768 N/A N/A C:\Users\Admin\AppData\Local\Temp\2ABD.exe
PID 3176 wrote to memory of 4716 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 4716 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 4716 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 4716 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3312 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\F3F6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\F3F6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\F3F6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

C:\Users\Admin\AppData\Local\Temp\F3F6.exe

C:\Users\Admin\AppData\Local\Temp\F3F6.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F5DB.dll

C:\Users\Admin\AppData\Local\Temp\F724.exe

C:\Users\Admin\AppData\Local\Temp\F724.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F5DB.dll

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

C:\Users\Admin\AppData\Local\Temp\8C.exe

C:\Users\Admin\AppData\Local\Temp\8C.exe

C:\Users\Admin\AppData\Local\Temp\427.exe

C:\Users\Admin\AppData\Local\Temp\427.exe

C:\Users\Admin\AppData\Local\Temp\9C5.exe

C:\Users\Admin\AppData\Local\Temp\9C5.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1ea6db0c-86b1-4817-b6c3-f35a4e8c8683" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\14E2.exe

C:\Users\Admin\AppData\Local\Temp\14E2.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1432 -ip 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 340

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\2ABD.exe

C:\Users\Admin\AppData\Local\Temp\2ABD.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

"C:\Users\Admin\AppData\Local\Temp\F1C2.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

"C:\Users\Admin\AppData\Local\Temp\F1C2.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4564 -ip 4564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\8C.exe

"C:\Users\Admin\AppData\Local\Temp\8C.exe"

C:\Users\Admin\AppData\Local\Temp\8C.exe

"C:\Users\Admin\AppData\Local\Temp\8C.exe"

C:\Users\Admin\AppData\Local\Temp\8C.exe

"C:\Users\Admin\AppData\Local\Temp\8C.exe"

C:\Users\Admin\AppData\Local\Temp\8C.exe

"C:\Users\Admin\AppData\Local\Temp\8C.exe"

C:\Users\Admin\AppData\Local\Temp\8C.exe

"C:\Users\Admin\AppData\Local\Temp\8C.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\2ABD.exe

"C:\Users\Admin\AppData\Local\Temp\2ABD.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 85.209.11.85:41140 tcp
US 8.8.8.8:53 85.11.209.85.in-addr.arpa udp
BG 171.22.28.236:38306 tcp
US 8.8.8.8:53 236.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 stalagmijesarl.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 31.26.214.95.in-addr.arpa udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 98bd123d-9d0f-4844-861f-5e99e86ad4bc.uuid.localstats.org udp

Files

memory/1456-1-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/1456-2-0x0000000000960000-0x000000000096B000-memory.dmp

memory/1456-3-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/1456-5-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/3176-4-0x0000000003010000-0x0000000003026000-memory.dmp

memory/1456-8-0x0000000000960000-0x000000000096B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\F3F6.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

C:\Users\Admin\AppData\Local\Temp\F3F6.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

memory/3312-23-0x0000000000460000-0x0000000000B9E000-memory.dmp

memory/3312-24-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3312-26-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3312-29-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3312-33-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3312-35-0x0000000077730000-0x0000000077820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F724.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

memory/3312-36-0x00000000779C4000-0x00000000779C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5DB.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/3312-38-0x0000000077730000-0x0000000077820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5DB.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

C:\Users\Admin\AppData\Local\Temp\F724.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

memory/3312-28-0x0000000077730000-0x0000000077820000-memory.dmp

memory/4968-44-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/4968-43-0x0000000000490000-0x0000000000496000-memory.dmp

memory/3312-27-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3312-46-0x0000000000460000-0x0000000000B9E000-memory.dmp

memory/3312-50-0x0000000005F00000-0x00000000064A4000-memory.dmp

memory/1944-49-0x0000000002660000-0x000000000277B000-memory.dmp

memory/3312-52-0x00000000059F0000-0x0000000005A82000-memory.dmp

memory/3312-55-0x0000000005B90000-0x0000000005C2C000-memory.dmp

memory/3720-54-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/3720-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3720-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1944-48-0x00000000025B0000-0x0000000002651000-memory.dmp

memory/3720-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3312-58-0x00000000059E0000-0x00000000059EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8C.exe

MD5 1dc47ac0b00f58cadb013cb4653e3973
SHA1 62aa607a45c4c31e515a5d86a86ab61738c336c0
SHA256 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229
SHA512 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853

C:\Users\Admin\AppData\Local\Temp\8C.exe

MD5 1dc47ac0b00f58cadb013cb4653e3973
SHA1 62aa607a45c4c31e515a5d86a86ab61738c336c0
SHA256 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229
SHA512 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853

memory/3032-63-0x0000000000170000-0x00000000008C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\427.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Local\Temp\427.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/3312-70-0x0000000000460000-0x0000000000B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C5.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3312-75-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3312-77-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3312-76-0x0000000077730000-0x0000000077820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C5.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3312-82-0x0000000077730000-0x0000000077820000-memory.dmp

memory/2708-84-0x00000000007F0000-0x00000000008F0000-memory.dmp

memory/3312-83-0x0000000077730000-0x0000000077820000-memory.dmp

memory/2708-85-0x0000000000950000-0x0000000000959000-memory.dmp

memory/2708-88-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/3312-91-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3312-92-0x0000000077730000-0x0000000077820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\14E2.exe

MD5 1ce0912c72e8d0bfa728e6a229b04330
SHA1 071804aecef07ef6e2a43cacc9dbacf64a8a2232
SHA256 b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273
SHA512 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e

C:\Users\Admin\AppData\Local\Temp\14E2.exe

MD5 1ce0912c72e8d0bfa728e6a229b04330
SHA1 071804aecef07ef6e2a43cacc9dbacf64a8a2232
SHA256 b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273
SHA512 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e

memory/3312-104-0x0000000077730000-0x0000000077820000-memory.dmp

memory/4968-106-0x0000000002310000-0x0000000002436000-memory.dmp

memory/4968-108-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/1432-109-0x00000000009F0000-0x0000000000AF0000-memory.dmp

memory/1432-110-0x00000000008E0000-0x00000000008EB000-memory.dmp

memory/1432-111-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/4968-112-0x0000000002440000-0x0000000002549000-memory.dmp

memory/3176-114-0x00000000077C0000-0x00000000077D6000-memory.dmp

memory/2708-118-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/4968-116-0x0000000002440000-0x0000000002549000-memory.dmp

memory/3720-120-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3032-121-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3032-122-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3032-123-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3032-124-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3032-126-0x0000000000170000-0x00000000008C6000-memory.dmp

memory/3032-128-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3032-127-0x0000000077730000-0x0000000077820000-memory.dmp

memory/4968-125-0x0000000002440000-0x0000000002549000-memory.dmp

memory/4968-113-0x0000000002440000-0x0000000002549000-memory.dmp

memory/3312-131-0x0000000005C80000-0x0000000005C9C000-memory.dmp

memory/3312-132-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/3032-133-0x0000000000170000-0x00000000008C6000-memory.dmp

memory/3312-134-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/3312-138-0x0000000005C80000-0x0000000005C95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ABD.exe

MD5 52bf9d33e1014192f6519323983054c4
SHA1 72279e7ad1d90598d39a5f617b22050c011c1076
SHA256 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd
SHA512 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed

C:\Users\Admin\AppData\Local\Temp\2ABD.exe

MD5 52bf9d33e1014192f6519323983054c4
SHA1 72279e7ad1d90598d39a5f617b22050c011c1076
SHA256 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd
SHA512 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed

memory/3312-142-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/3312-145-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/3312-147-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/3312-150-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/3312-152-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/3312-156-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/3312-160-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/4716-159-0x00000000012A0000-0x000000000130B000-memory.dmp

memory/4716-157-0x0000000001310000-0x0000000001385000-memory.dmp

memory/3312-162-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/4716-155-0x00000000012A0000-0x000000000130B000-memory.dmp

memory/3312-164-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/3312-166-0x0000000005C80000-0x0000000005C95000-memory.dmp

memory/1656-167-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1656-170-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/3312-174-0x00000000059D0000-0x00000000059E0000-memory.dmp

memory/3376-177-0x0000000000E90000-0x0000000000E9C000-memory.dmp

memory/3312-178-0x0000000077730000-0x0000000077820000-memory.dmp

memory/3376-179-0x0000000000E90000-0x0000000000E9C000-memory.dmp

memory/1656-186-0x0000000007F30000-0x0000000008548000-memory.dmp

memory/1656-196-0x0000000006FA0000-0x0000000006FB2000-memory.dmp

memory/1656-200-0x0000000007200000-0x000000000730A000-memory.dmp

memory/1656-202-0x0000000007130000-0x000000000716C000-memory.dmp

memory/1656-176-0x0000000006FF0000-0x0000000007000000-memory.dmp

memory/1656-203-0x0000000007170000-0x00000000071BC000-memory.dmp

memory/3312-175-0x0000000000460000-0x0000000000B9E000-memory.dmp

memory/4716-204-0x00000000012A0000-0x000000000130B000-memory.dmp

memory/3768-205-0x0000000002A60000-0x0000000002E66000-memory.dmp

memory/3768-206-0x0000000002E70000-0x000000000375B000-memory.dmp

C:\Users\Admin\AppData\Local\1ea6db0c-86b1-4817-b6c3-f35a4e8c8683\F1C2.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/3720-216-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\F1C2.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/4564-223-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4564-224-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4564-226-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3768-239-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_evrilpns.c43.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\8C.exe

MD5 1dc47ac0b00f58cadb013cb4653e3973
SHA1 62aa607a45c4c31e515a5d86a86ab61738c336c0
SHA256 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229
SHA512 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853

C:\Users\Admin\AppData\Local\Temp\8C.exe

MD5 1dc47ac0b00f58cadb013cb4653e3973
SHA1 62aa607a45c4c31e515a5d86a86ab61738c336c0
SHA256 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229
SHA512 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853

C:\Users\Admin\AppData\Local\Temp\8C.exe

MD5 1dc47ac0b00f58cadb013cb4653e3973
SHA1 62aa607a45c4c31e515a5d86a86ab61738c336c0
SHA256 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229
SHA512 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853

C:\Users\Admin\AppData\Local\Temp\8C.exe

MD5 1dc47ac0b00f58cadb013cb4653e3973
SHA1 62aa607a45c4c31e515a5d86a86ab61738c336c0
SHA256 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229
SHA512 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853

C:\Users\Admin\AppData\Local\Temp\8C.exe

MD5 1dc47ac0b00f58cadb013cb4653e3973
SHA1 62aa607a45c4c31e515a5d86a86ab61738c336c0
SHA256 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229
SHA512 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 4fd6b3a467056385abd8ed1f85da0fa2
SHA1 4c42cd69ac787622af8b0748cb72b76911f9ff76
SHA256 5e9fcb024a6b188bad3226ea736d4b95df2a5cc6b493e0fab951c5bc051fbfec
SHA512 525067ffa8c9ef372255eaf264114971590a64cd06302e33ef89d5465eded3a1579b8b79efa1b445e593fa2cd907ed3394b4f1193c0ed63157ed5f06d4889289

C:\Users\Admin\AppData\Roaming\itwdwgr

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Local\Temp\2ABD.exe

MD5 52bf9d33e1014192f6519323983054c4
SHA1 72279e7ad1d90598d39a5f617b22050c011c1076
SHA256 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd
SHA512 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e6f34915b4a137668be48eaa5ebb527e
SHA1 6818630f9505a80f3130567ac1e495c598289d58
SHA256 fed4b208f7b11ded1ded8e870bcac7e5dd13bbcec757e37812e9a3c437e7b9ab
SHA512 b63abcaea2504bfda6eb3a8046d2db346f2f947a00c811edf191d14458b4d9d36aa2220a57aeaa1e4fcd112037bdd141755a9cc0f776a45c2b7fa25ec54a2b21

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 690e9a3dad3aec207144082bb6e2f2ba
SHA1 68c4632a5d281e868a1939000a04386b0c458295
SHA256 90a96751fb0b0a0eeef3fa4667fc743a684f947d8a5ffe9b22f150cf62c7c96c
SHA512 422fcbcd0a6fb117278c9509d6d473843a72a676010e8e14538bc0e5da44027b9fa7bde018cba54acea6e574a0d5568e54164dfa4232cfd12d3111d874744746

C:\Windows\rss\csrss.exe

MD5 52bf9d33e1014192f6519323983054c4
SHA1 72279e7ad1d90598d39a5f617b22050c011c1076
SHA256 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd
SHA512 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed

C:\Windows\rss\csrss.exe

MD5 52bf9d33e1014192f6519323983054c4
SHA1 72279e7ad1d90598d39a5f617b22050c011c1076
SHA256 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd
SHA512 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3352c4a44c76834e5b39b30bf1a45c43
SHA1 0910841a7e75deec00b96c758ee3a9c25ab17d70
SHA256 d3ead587208408f9b5d3916d2db4b52ef719106de3d29d791f9fef2771034054
SHA512 6365134b76bccf396cac562451a2bbba7c34f879e23707dd1212f3a706b5b8f95b96da678d569e17e42b30d215a44d90290dfc1f82095e9e945774a82ce6ec18

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 95f5a76efd93ce19b777bd572f2a4db8
SHA1 101893e9b08d3b53f69ce978c6ac146ac67c455d
SHA256 af9b4d02674f675566a28b148a461f8bd0a6582092b6731d8b48aad730b586d4
SHA512 125d81695204f90f5ed67d4112831a1964bfdd493b178bd24839eafebb2f6fd2590da73f5397c24dd5d6ba00816aefcd739770345319acb333c898b15813cb99

C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 893b45c64e8de2a8307370f1bbd91d0a
SHA1 4985feb4589df020f8b0922380269e472585c3b4
SHA256 073185a25755ea570431a052a345d3a853d96fbf8226f9e0adbba327ac0e3d51
SHA512 de4c20d174b2d6d4842c1ae729a16d5edb07745e4d25de5d3a9ccc4b7ad49532acfa06cc8bfa9441d69d838bc6328815eaa2bce54265e2476879701267f7a4a9

C:\Program Files\Google\Chrome\updater.exe

MD5 02e58e84a7a136cfc28a302af9939099
SHA1 03313c0799d96a6f4693b08e5428c516eabc305f
SHA256 0092178ecd741fd010dbabd6df28f4b96cac179f21fb5d7c55976f6e5b8d1ee6
SHA512 11c1fe29902094c12f935d5988d80cb38fb443859e8b0525253b5b52d798c1aa6b9d48b8cb6c35b69f4eb3665a8d0ed7a107065e688de56d0db4382a76e0a720

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-18 15:38

Reported

2023-10-18 15:40

Platform

win7-20230831-en

Max time kernel

54s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3535.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\47BE.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3535.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\47BE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\47BE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3535.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\47BE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3535.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3535.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47BE.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2640 set thread context of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\56BD.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\56BD.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\56BD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 1300 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 1300 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 1300 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 1300 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\Temp\3535.exe
PID 1300 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\Temp\3535.exe
PID 1300 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\Temp\3535.exe
PID 1300 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\Temp\3535.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 2640 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\31F9.exe C:\Users\Admin\AppData\Local\Temp\31F9.exe
PID 1300 wrote to memory of 2492 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2492 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2492 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2492 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2492 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\Temp\428F.exe
PID 1300 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\Temp\428F.exe
PID 1300 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\Temp\428F.exe
PID 1300 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\Temp\428F.exe
PID 2492 wrote to memory of 760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1300 wrote to memory of 1208 N/A N/A C:\Users\Admin\AppData\Local\Temp\47BE.exe
PID 1300 wrote to memory of 1208 N/A N/A C:\Users\Admin\AppData\Local\Temp\47BE.exe
PID 1300 wrote to memory of 1208 N/A N/A C:\Users\Admin\AppData\Local\Temp\47BE.exe
PID 1300 wrote to memory of 1208 N/A N/A C:\Users\Admin\AppData\Local\Temp\47BE.exe
PID 1300 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\56BD.exe
PID 1300 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\56BD.exe
PID 1300 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\56BD.exe
PID 1300 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\56BD.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\31F9.exe

C:\Users\Admin\AppData\Local\Temp\31F9.exe

C:\Users\Admin\AppData\Local\Temp\3535.exe

C:\Users\Admin\AppData\Local\Temp\3535.exe

C:\Users\Admin\AppData\Local\Temp\31F9.exe

C:\Users\Admin\AppData\Local\Temp\31F9.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3E79.dll

C:\Users\Admin\AppData\Local\Temp\428F.exe

C:\Users\Admin\AppData\Local\Temp\428F.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3E79.dll

C:\Users\Admin\AppData\Local\Temp\47BE.exe

C:\Users\Admin\AppData\Local\Temp\47BE.exe

C:\Users\Admin\AppData\Local\Temp\56BD.exe

C:\Users\Admin\AppData\Local\Temp\56BD.exe

C:\Users\Admin\AppData\Local\Temp\71DC.exe

C:\Users\Admin\AppData\Local\Temp\71DC.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\24ed172b-c95b-4f2e-a693-e5557d696978" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\91FA.exe

C:\Users\Admin\AppData\Local\Temp\91FA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\31F9.exe

"C:\Users\Admin\AppData\Local\Temp\31F9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\31F9.exe

"C:\Users\Admin\AppData\Local\Temp\31F9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe

"C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe"

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe

"C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F1FEBC6F-3949-4CA0-A4E8-F11A4C0E3EA8} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe

"C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\ihrwvda

C:\Users\Admin\AppData\Roaming\ihrwvda

C:\Users\Admin\AppData\Roaming\ehrwvda

C:\Users\Admin\AppData\Roaming\ehrwvda

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe

"C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231018154038.log C:\Windows\Logs\CBS\CbsPersist_20231018154038.cab

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 stalagmijesarl.com udp
US 188.114.97.0:443 api.2ip.ua tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 colisumy.com udp
MX 187.204.68.14:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
KR 211.40.39.251:80 zexeq.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
KR 211.40.39.251:80 zexeq.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
BG 171.22.28.236:38306 tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 5.75.212.77:80 5.75.212.77 tcp

Files

memory/2212-1-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/2212-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2212-3-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/2212-5-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/1300-4-0x00000000029D0000-0x00000000029E6000-memory.dmp

memory/2212-8-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\3535.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

memory/2764-25-0x0000000001170000-0x00000000018AE000-memory.dmp

memory/2640-26-0x0000000000290000-0x0000000000321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/3028-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3028-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2764-33-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-35-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-36-0x0000000076A10000-0x0000000076A57000-memory.dmp

memory/2764-37-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-39-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-38-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-40-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-42-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-43-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-44-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-45-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-46-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-47-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-48-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2640-50-0x0000000002080000-0x000000000219B000-memory.dmp

memory/2764-51-0x0000000077820000-0x0000000077822000-memory.dmp

memory/2640-49-0x0000000000290000-0x0000000000321000-memory.dmp

memory/2764-41-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-34-0x0000000076580000-0x0000000076690000-memory.dmp

memory/3028-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3028-56-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\428F.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

C:\Users\Admin\AppData\Local\Temp\428F.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

C:\Users\Admin\AppData\Local\Temp\3E79.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

C:\Users\Admin\AppData\Local\Temp\47BE.exe

MD5 1dc47ac0b00f58cadb013cb4653e3973
SHA1 62aa607a45c4c31e515a5d86a86ab61738c336c0
SHA256 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229
SHA512 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853

\Users\Admin\AppData\Local\Temp\3E79.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/1208-70-0x0000000000B00000-0x0000000001256000-memory.dmp

memory/1208-72-0x0000000076A10000-0x0000000076A57000-memory.dmp

memory/1208-74-0x0000000076580000-0x0000000076690000-memory.dmp

memory/760-75-0x0000000000200000-0x0000000000206000-memory.dmp

memory/1208-76-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-77-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-78-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-79-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-80-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-81-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-82-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-84-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-86-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-87-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-88-0x0000000076A10000-0x0000000076A57000-memory.dmp

memory/1208-89-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-90-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-93-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-92-0x0000000076A10000-0x0000000076A57000-memory.dmp

memory/1208-91-0x0000000076580000-0x0000000076690000-memory.dmp

memory/760-71-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/1208-94-0x0000000076580000-0x0000000076690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\56BD.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Local\Temp\56BD.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/1208-95-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-102-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-103-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-104-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-105-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-106-0x0000000076580000-0x0000000076690000-memory.dmp

memory/1208-109-0x0000000000B00000-0x0000000001256000-memory.dmp

memory/2764-110-0x0000000001170000-0x00000000018AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\71DC.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\71DC.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1300-118-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

memory/1876-119-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/1876-122-0x00000000008B5000-0x00000000008C8000-memory.dmp

memory/1876-123-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2764-127-0x0000000074280000-0x000000007496E000-memory.dmp

memory/2348-131-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1208-133-0x0000000074280000-0x000000007496E000-memory.dmp

memory/2348-134-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2348-135-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2348-136-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2348-137-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2348-132-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2348-139-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2348-141-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2764-159-0x0000000001170000-0x00000000018AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3028-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2348-162-0x0000000074280000-0x000000007496E000-memory.dmp

memory/760-164-0x00000000021A0000-0x00000000022C6000-memory.dmp

memory/2764-165-0x0000000076A10000-0x0000000076A57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/760-169-0x00000000022D0000-0x00000000023D9000-memory.dmp

memory/760-170-0x00000000022D0000-0x00000000023D9000-memory.dmp

memory/760-172-0x00000000022D0000-0x00000000023D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91FA.exe

MD5 52bf9d33e1014192f6519323983054c4
SHA1 72279e7ad1d90598d39a5f617b22050c011c1076
SHA256 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd
SHA512 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed

memory/2764-166-0x0000000076580000-0x0000000076690000-memory.dmp

memory/2764-168-0x0000000076580000-0x0000000076690000-memory.dmp

memory/760-179-0x00000000022D0000-0x00000000023D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91FA.exe

MD5 52bf9d33e1014192f6519323983054c4
SHA1 72279e7ad1d90598d39a5f617b22050c011c1076
SHA256 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd
SHA512 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed

C:\Users\Admin\AppData\Local\24ed172b-c95b-4f2e-a693-e5557d696978\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2348-183-0x00000000075A0000-0x00000000075E0000-memory.dmp

memory/1792-185-0x0000000000140000-0x00000000001AB000-memory.dmp

memory/2288-208-0x0000000002860000-0x0000000002C58000-memory.dmp

memory/1888-211-0x0000000000060000-0x000000000006C000-memory.dmp

\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/3028-233-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1652-234-0x0000000000220000-0x00000000002B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\31F9.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c6bdeb38224c6a2bc66e61b714f213cc
SHA1 c0f4fa83143c9977bffffb3f6bdc2b55b05ecc70
SHA256 9ae867c3367626c15d93e179ae805d358734d86debf538e09953ccc19b4276e5
SHA512 facd17c23895daae4c3a82b1585cb12ac029dec60c6e1450f30fa142440b1aa02b41db73bcea592333f26d81f2a768447afe1476585138aaed0c10d0ae17f7ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d113add6176ea0e082f07a4cde0f1e27
SHA1 4961b8a68230a953dce167af8214537124b3c418
SHA256 7f53f067744a039364152a66ab1a2da4d6b0ba526e0cb52dd8186f144360dc58
SHA512 08c75f8e07457f3de0d37a543357cf63bf8c2edc2c10e740373cafdc6a5823a497a248b282ac3b8528deeff776bbdc0c780775435e756bef2903a08e8436869b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4402a0fc0ec273e2c3bd6a1188700b05
SHA1 2c8ff24692967b5ae6a2b827113336b51bfe59d6
SHA256 18b75f28d4760e6da2dd7a54f388dfa8576e124acee9fa1127b0ad7be52c51b9
SHA512 fc105e88cc8c5a785914a2eb6920e4b648db2332e1984e3f61f396562229e89f6a6200859868419664cc5436750a0014934102e618088ccf7c270c13d60b9abf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7c198e53d344f0409291b1ded9827deb
SHA1 bb562c08ee1086b7115c257a72c3f7b6d8a78335
SHA256 d0cee21c954dcc20089e3dcd6579194c9ecafa2ec6e652b938464724389a6999
SHA512 4b7f1c090428230ed16bbfc344142a3338c2108b28214ade8f66f3847fd19bdc4fe848d46f37fffed5b7d28aaac1de6e78c87170c2f159863f99f7fa66d6d946

C:\Users\Admin\AppData\Local\Temp\CabC37E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\91FA.exe

MD5 52bf9d33e1014192f6519323983054c4
SHA1 72279e7ad1d90598d39a5f617b22050c011c1076
SHA256 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd
SHA512 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed

memory/2416-329-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2416-325-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1208-333-0x0000000000910000-0x0000000000925000-memory.dmp

memory/2764-331-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/1208-337-0x0000000000910000-0x0000000000925000-memory.dmp

memory/2764-341-0x00000000006E0000-0x00000000006F5000-memory.dmp

memory/2764-345-0x00000000006E0000-0x00000000006F5000-memory.dmp

\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\Tar74BC.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\ehrwvda

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Roaming\ihrwvda

MD5 a1c2a53b0b4f7004c0ab4e7b71824cb1
SHA1 d7b35120e2211e5a5b695e51fea436f86bcc422b
SHA256 d3ff42e30d8fab9324a80f08e50445a1fcf72fa2cfe410043785bf4ff4c637ae
SHA512 bc9a99ecb463784e670a8741477e29742559b5fe57d98de8f3ed72fc92ae68c34f0f283a6415bbc6463ab418f48d115b740eabe171006d0bbee2c0f638fcb4a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a443f563c40dea8dd61054214a985dc
SHA1 91c570f5712651714e1bc3ccd1ea6ccf3a0d7d69
SHA256 0a7ab831417a466d35ea4504d0549cb1ced54f77467b8f5325f02f4126304ea7
SHA512 4c288da9bbb189b50c22d229203f3168a2454ca4d55b2e1e6b9ba843124e85a94ddd774bfea70ac540fa043ccfdec0c2c01f40797d84b2eab8d704dfd5872d6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 42183e78812ab99e0d74d70a72c72aef
SHA1 08c85edb13376d9d6b38b13ad8d5fa8d1141e430
SHA256 6bb5e0b76820efe0997a1d3683733815b1ada338b8cd9b0574c46b5cfaf4cc38
SHA512 feb5eb444d12f42b115edf3f67f8782d3b61d48fc8ffafee99f0a5c9ddb2c0dc53bdee8a42881275d996194589e6936bca260c66eda207fda9f3abe2f6e4b49b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Roaming\ehrwvda

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Roaming\ihrwvda

MD5 a1c2a53b0b4f7004c0ab4e7b71824cb1
SHA1 d7b35120e2211e5a5b695e51fea436f86bcc422b
SHA256 d3ff42e30d8fab9324a80f08e50445a1fcf72fa2cfe410043785bf4ff4c637ae
SHA512 bc9a99ecb463784e670a8741477e29742559b5fe57d98de8f3ed72fc92ae68c34f0f283a6415bbc6463ab418f48d115b740eabe171006d0bbee2c0f638fcb4a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 42183e78812ab99e0d74d70a72c72aef
SHA1 08c85edb13376d9d6b38b13ad8d5fa8d1141e430
SHA256 6bb5e0b76820efe0997a1d3683733815b1ada338b8cd9b0574c46b5cfaf4cc38
SHA512 feb5eb444d12f42b115edf3f67f8782d3b61d48fc8ffafee99f0a5c9ddb2c0dc53bdee8a42881275d996194589e6936bca260c66eda207fda9f3abe2f6e4b49b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f8fd65f3eca7a3f0340ab8c9862a615
SHA1 5de8b254766ae72d22fdc54e34ea4078ba2e689d
SHA256 7d107e1145e96bd300c7b3635af13ada5de3bd0848274f0d1371017184af74de
SHA512 d5f9b93ac334f627a1aefc4091b0fc280e0dbff6d81a10397fdf343d9ebc3c5dafd8f43dd3de5933f27db7c308fe2dac1b4dfb4f66497b26e8cdc0d647faef7e

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040