Malware Analysis Report

2024-10-16 05:12

Sample ID 231025-y93b4sga8s
Target a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
SHA256 a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
Tags
ammyyadmin flawedammyy rhadamanthys smokeloader stealc backdoor bootkit collection discovery persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115

Threat Level: Known bad

The file a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy rhadamanthys smokeloader stealc backdoor bootkit collection discovery persistence rat spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect rhadamanthys stealer shellcode

SmokeLoader

Stealc

Ammyy Admin

FlawedAmmyy RAT

AmmyyAdmin payload

Rhadamanthys

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 20:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 20:29

Reported

2023-10-25 20:32

Platform

win10v2004-20231023-en

Max time kernel

152s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

FlawedAmmyy RAT

trojan flawedammyy

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2556 created 3284 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\svchost.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\C]2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\C]2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\C]2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\C]2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\C]2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\C]2.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe
PID 3200 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe
PID 3200 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe
PID 3200 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe
PID 3200 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe
PID 3200 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe
PID 3200 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe
PID 3200 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe
PID 2556 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Windows\system32\certreq.exe
PID 2556 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Windows\system32\certreq.exe
PID 2556 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Windows\system32\certreq.exe
PID 2556 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe C:\Windows\system32\certreq.exe
PID 4980 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Microsoft\C]2.exe C:\Users\Admin\AppData\Local\Microsoft\C]2.exe
PID 4980 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Microsoft\C]2.exe C:\Users\Admin\AppData\Local\Microsoft\C]2.exe
PID 4980 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Microsoft\C]2.exe C:\Users\Admin\AppData\Local\Microsoft\C]2.exe
PID 4980 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Microsoft\C]2.exe C:\Users\Admin\AppData\Local\Microsoft\C]2.exe
PID 4980 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Microsoft\C]2.exe C:\Users\Admin\AppData\Local\Microsoft\C]2.exe
PID 4980 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Microsoft\C]2.exe C:\Users\Admin\AppData\Local\Microsoft\C]2.exe
PID 1364 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 3336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1508 wrote to memory of 3336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1508 wrote to memory of 3336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3284 wrote to memory of 4496 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 4496 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 4496 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 4496 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 3052 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 3052 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 3052 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 232 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 232 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 232 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 232 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 1116 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 1116 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 1116 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 1116 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 4864 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 4864 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 4864 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 4864 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 1684 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 1684 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 1684 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 1684 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 2292 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 2292 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 2292 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 2744 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 2744 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 2744 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 2744 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 2808 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 2808 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 2808 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3284 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3284 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe

"C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe"

C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe

C:\Users\Admin\AppData\Local\Temp\a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe

"C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe"

C:\Users\Admin\AppData\Local\Microsoft\C]2.exe

"C:\Users\Admin\AppData\Local\Microsoft\C]2.exe"

C:\Users\Admin\AppData\Local\Microsoft\0J).exe

"C:\Users\Admin\AppData\Local\Microsoft\0J).exe"

C:\Users\Admin\AppData\Local\Microsoft\C]2.exe

C:\Users\Admin\AppData\Local\Microsoft\C]2.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1364 -ip 1364

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2504

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\svchost.exe -debug

C:\Windows\SYSTEM32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\aa_nts.dll",run

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 matthewsamuel.top udp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
US 8.8.8.8:53 150.27.11.45.in-addr.arpa udp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
RU 45.11.27.150:80 matthewsamuel.top tcp
US 8.8.8.8:53 servermlogs27.xyz udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 zxmextog23.xyz udp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 242.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/3200-0-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3200-1-0x0000000000F10000-0x0000000001272000-memory.dmp

memory/3200-2-0x0000000005CB0000-0x0000000005D42000-memory.dmp

memory/3200-3-0x0000000005C00000-0x0000000005C10000-memory.dmp

memory/3200-4-0x0000000005D50000-0x0000000005F3E000-memory.dmp

memory/3200-5-0x0000000006410000-0x0000000006490000-memory.dmp

memory/3200-6-0x0000000006490000-0x00000000064F8000-memory.dmp

memory/3200-7-0x0000000006500000-0x0000000006568000-memory.dmp

memory/3200-8-0x0000000006570000-0x00000000065BC000-memory.dmp

memory/3200-9-0x0000000006B70000-0x0000000007114000-memory.dmp

memory/2556-10-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2556-13-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2556-14-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3200-15-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/2556-16-0x00000000015C0000-0x00000000015C7000-memory.dmp

memory/2556-17-0x0000000003380000-0x0000000003780000-memory.dmp

memory/2556-18-0x0000000003380000-0x0000000003780000-memory.dmp

memory/2556-19-0x0000000003380000-0x0000000003780000-memory.dmp

memory/2556-20-0x0000000003380000-0x0000000003780000-memory.dmp

memory/2840-21-0x000001D2985E0000-0x000001D2985E3000-memory.dmp

memory/2556-22-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2556-23-0x00000000040C0000-0x00000000040F6000-memory.dmp

memory/2556-30-0x0000000003380000-0x0000000003780000-memory.dmp

memory/2556-29-0x00000000040C0000-0x00000000040F6000-memory.dmp

memory/2556-31-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2556-32-0x0000000003380000-0x0000000003780000-memory.dmp

memory/2840-33-0x000001D2985E0000-0x000001D2985E3000-memory.dmp

memory/2840-34-0x000001D2989A0000-0x000001D2989A7000-memory.dmp

memory/2840-36-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-35-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-37-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-38-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-39-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-41-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-43-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-45-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-46-0x00007FF9E6B10000-0x00007FF9E6D05000-memory.dmp

memory/2840-44-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-47-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-50-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-51-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-52-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-53-0x00007FF469440000-0x00007FF46956F000-memory.dmp

memory/2840-54-0x00007FF9E6B10000-0x00007FF9E6D05000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe

MD5 f445dce24fe09b59d9affb9f0a16ee7e
SHA1 9d2b2ef3e57c7a571c20d078dbac82576cdfcb30
SHA256 7476d2335a1f3cf87f1995a40147d6ee0acaf9cf0c9895a595365942b64be5a3
SHA512 6e721fbfc49a7780b20be1173795f602b3b4ccf9a8ce5625fc38ec15f818943dd7a0e56a75b4cb9719f2255b28d2ec538257f55ea383f2407069e5f93314edb8

C:\Users\Admin\AppData\Local\Microsoft\sNa_h4am.exe

MD5 f445dce24fe09b59d9affb9f0a16ee7e
SHA1 9d2b2ef3e57c7a571c20d078dbac82576cdfcb30
SHA256 7476d2335a1f3cf87f1995a40147d6ee0acaf9cf0c9895a595365942b64be5a3
SHA512 6e721fbfc49a7780b20be1173795f602b3b4ccf9a8ce5625fc38ec15f818943dd7a0e56a75b4cb9719f2255b28d2ec538257f55ea383f2407069e5f93314edb8

C:\Users\Admin\AppData\Local\Microsoft\C]2.exe

MD5 a5e52d00a57904485aeb8e6580ce4666
SHA1 8f10588d8fcb6bb4d734c6e31fdaf2c165f87d92
SHA256 13d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71
SHA512 f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76

C:\Users\Admin\AppData\Local\Microsoft\C]2.exe

MD5 a5e52d00a57904485aeb8e6580ce4666
SHA1 8f10588d8fcb6bb4d734c6e31fdaf2c165f87d92
SHA256 13d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71
SHA512 f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76

memory/4980-64-0x0000000000430000-0x00000000006BE000-memory.dmp

memory/4980-63-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/4980-65-0x0000000005080000-0x0000000005090000-memory.dmp

memory/4980-66-0x0000000005090000-0x00000000051AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\0J).exe

MD5 2a40a56b3dbe361864baac57a7815de4
SHA1 a0b67c7eb5bb378010ada7a3cf6bfe4101df9049
SHA256 3d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99
SHA512 6c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2

C:\Users\Admin\AppData\Local\Microsoft\0J).exe

MD5 2a40a56b3dbe361864baac57a7815de4
SHA1 a0b67c7eb5bb378010ada7a3cf6bfe4101df9049
SHA256 3d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99
SHA512 6c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2

memory/4980-69-0x0000000005580000-0x00000000055CA000-memory.dmp

memory/4980-70-0x00000000051D0000-0x0000000005202000-memory.dmp

memory/4980-71-0x00000000055F0000-0x0000000005622000-memory.dmp

memory/3240-72-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\C]2.exe

MD5 a5e52d00a57904485aeb8e6580ce4666
SHA1 8f10588d8fcb6bb4d734c6e31fdaf2c165f87d92
SHA256 13d55838fe9e2e638ea8d21e86dab4fc28c8d9ba94526b79d48d0e83ce21fe71
SHA512 f14ca4c6017ffff6df0141cd706770225b9418029b69e37ff1f7d50ce2941cefb1e3f6d20df1897cb6cf3dc8db8e171d4ee94b72dac0b9375c31cb2e652b0b76

memory/3240-75-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4980-76-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/1364-77-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/1364-78-0x0000000000780000-0x000000000079B000-memory.dmp

memory/1364-79-0x0000000000400000-0x000000000062D000-memory.dmp

memory/2840-80-0x000001D2989A0000-0x000001D2989A5000-memory.dmp

memory/2840-81-0x00007FF9E6B10000-0x00007FF9E6D05000-memory.dmp

memory/3240-84-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3284-82-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

memory/1364-86-0x0000000000400000-0x000000000062D000-memory.dmp

memory/1364-87-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1364-128-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/1364-135-0x0000000000780000-0x000000000079B000-memory.dmp

memory/1364-139-0x0000000000400000-0x000000000062D000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/1364-164-0x0000000000400000-0x000000000062D000-memory.dmp

memory/4496-173-0x0000000000D00000-0x0000000000D75000-memory.dmp

memory/4496-175-0x0000000000C90000-0x0000000000CFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DE6.tmp

MD5 44d2ab225d5338fedd68e8983242a869
SHA1 98860eaac2087b0564e2d3e0bf0d1f25e21e0eeb
SHA256 217c293b309195f479ca76bf78898a98685ba2854639dfd1293950232a6c6695
SHA512 611eb322a163200b4718f0b48c7a50a5e245af35f0c539f500ad9b517c4400c06dd64a3df30310223a6328eeb38862be7556346ec14a460e33b5c923153ac4a7

C:\Users\Admin\AppData\Local\Temp\6E27.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/4496-198-0x0000000000C90000-0x0000000000CFB000-memory.dmp

memory/3052-197-0x0000000000390000-0x000000000039C000-memory.dmp

memory/3052-200-0x0000000000390000-0x000000000039C000-memory.dmp

memory/3052-199-0x00000000003A0000-0x00000000003A7000-memory.dmp

memory/232-201-0x0000000000DA0000-0x0000000000DA4000-memory.dmp

memory/232-203-0x0000000000D90000-0x0000000000D99000-memory.dmp

memory/1116-204-0x0000000000410000-0x000000000041B000-memory.dmp

memory/1364-207-0x0000000000400000-0x000000000062D000-memory.dmp

memory/1116-206-0x0000000000410000-0x000000000041B000-memory.dmp

memory/1116-205-0x0000000000420000-0x000000000042A000-memory.dmp

memory/4864-209-0x00000000005D0000-0x00000000005D7000-memory.dmp

memory/4864-208-0x00000000005C0000-0x00000000005CB000-memory.dmp

memory/4864-210-0x00000000005C0000-0x00000000005CB000-memory.dmp

memory/4372-211-0x00000000004E0000-0x00000000004E9000-memory.dmp

memory/4372-213-0x00000000004D0000-0x00000000004DF000-memory.dmp

memory/1684-214-0x0000000000380000-0x0000000000385000-memory.dmp

memory/1684-216-0x0000000000370000-0x0000000000379000-memory.dmp

memory/2292-218-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

memory/2292-217-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

memory/2292-219-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

memory/232-220-0x0000000000D90000-0x0000000000D99000-memory.dmp

memory/2744-221-0x0000000000540000-0x0000000000549000-memory.dmp

memory/2744-222-0x0000000000550000-0x0000000000554000-memory.dmp

memory/4864-224-0x00000000005D0000-0x00000000005D7000-memory.dmp

memory/2808-225-0x0000000000900000-0x0000000000905000-memory.dmp

memory/2808-226-0x00000000008F0000-0x00000000008F9000-memory.dmp

memory/2808-223-0x00000000008F0000-0x00000000008F9000-memory.dmp

memory/4372-228-0x00000000004D0000-0x00000000004DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\A3C8.tmp\aa_nts.msg

MD5 3f05819f995b4dafa1b5d55ce8d1f411
SHA1 404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA256 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA512 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026