Malware Analysis Report

2025-08-05 21:24

Sample ID 231222-lsrg3ahba9
Target 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6
SHA256 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6

Threat Level: Likely malicious

The file 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6 was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

Checks computer location settings

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy WMI provider

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 09:48

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 09:48

Reported

2023-12-22 09:50

Platform

win7-20231215-en

Max time kernel

139s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\Runn\Yloux.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\L: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\R: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\U: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\V: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\W: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\B: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\K: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Q: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\S: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\T: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\I: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\M: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\N: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\O: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\X: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Z: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\E: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\G: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\J: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\P: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Y: C:\windows\Runn\Yloux.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\windows\Runn\Yloux.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe

"C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe"

C:\windows\Runn\Yloux.exe

"C:\windows\Runn\Yloux.exe"

Network

Country Destination Domain Proto
CN 38.54.101.181:80 tcp
US 38.60.204.65:53261 38.60.204.65 tcp
HK 103.243.183.201:18479 tcp
HK 103.243.183.201:18479 tcp
N/A 192.168.1.2:6341 udp
N/A 192.168.1.2:6341 udp
N/A 192.168.1.2:6341 udp

Files

memory/2960-0-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2960-2-0x0000000000F60000-0x00000000017CE000-memory.dmp

memory/2960-3-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2960-5-0x0000000000F60000-0x00000000017CE000-memory.dmp

memory/2960-7-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2960-9-0x0000000077090000-0x0000000077091000-memory.dmp

memory/2960-11-0x0000000002DD0000-0x0000000003162000-memory.dmp

memory/2960-12-0x0000000010000000-0x0000000010396000-memory.dmp

\Windows\Runn\Yloux.exe

MD5 0429f275b221c39db1980a9c0c138d88
SHA1 4b5a96f2f5127462b59fa5c8aa3285898284fd79
SHA256 15037c378cf027a87cc278e0390b01a35657f8412a0d1571db2d423a605af884
SHA512 d8f0d1139464a8c799b9fb662250d4cbf711b2c6611b24520943e9d877ab6379a5c3716e95c5e76d6a5593756dbb64eaca8ea1c668f5ec43f3e521c7fd16fcce

C:\windows\Runn\1.bin

MD5 2d3418c6602a6a952f665509558c4a5c
SHA1 2f701f0f121f13abecfc10311c5db1a63c227f72
SHA256 9f3d4d68da154c13657816aa787e6766fc28c8820da748aa4398daf7bc435e43
SHA512 d0b24e3c81a9bb08b45560d3a8389c2212059c525c617b66ef5bbe8a920851509de3d5982ecabdb432315d9b231f259efdaffc6d0fd7cea27c9d38a4c8dc7232

memory/2744-29-0x0000000000460000-0x0000000000560000-memory.dmp

memory/2960-34-0x0000000000F60000-0x00000000017CE000-memory.dmp

memory/2744-35-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2744-41-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2744-42-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2960-46-0x0000000000F60000-0x00000000017CE000-memory.dmp

memory/2744-47-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2744-48-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2744-49-0x0000000000460000-0x0000000000560000-memory.dmp

memory/2744-54-0x0000000001DD0000-0x0000000001E14000-memory.dmp

memory/2744-53-0x0000000001DD0000-0x0000000001E14000-memory.dmp

memory/2744-52-0x0000000000560000-0x000000000059E000-memory.dmp

memory/2744-51-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2744-50-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2744-55-0x0000000001DD0000-0x0000000001E14000-memory.dmp

memory/2744-56-0x0000000001DD0000-0x0000000001E14000-memory.dmp

memory/2744-59-0x0000000001DD0000-0x0000000001E14000-memory.dmp

memory/2744-63-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2744-65-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2744-66-0x0000000001DD0000-0x0000000001E14000-memory.dmp

memory/2744-67-0x0000000001DD0000-0x0000000001E14000-memory.dmp

memory/2744-74-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 09:48

Reported

2023-12-22 09:50

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Q: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Z: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\E: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\I: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\H: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\L: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\P: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\T: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\U: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\W: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\B: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\G: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\S: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\V: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\X: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\K: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\N: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\R: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Y: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\J: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\O: C:\windows\Runn\Yloux.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1703238513" C:\Users\Admin\AppData\Local\Temp\{60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\windows\Runn\Yloux.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe

"C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe"

C:\windows\Runn\Yloux.exe

"C:\windows\Runn\Yloux.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\{60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe

"C:\Users\Admin\AppData\Local\Temp\{60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{A21E22C3-E1AD-4808-BFB9-A80BA3620690}"

Network

Country Destination Domain Proto
CN 38.54.101.181:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 181.101.54.38.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 38.60.204.65:53261 38.60.204.65 tcp
US 8.8.8.8:53 65.204.60.38.in-addr.arpa udp
HK 103.243.183.201:18479 tcp
US 8.8.8.8:53 201.183.243.103.in-addr.arpa udp
HK 103.243.183.201:18479 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 2.1.168.192.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/3600-1-0x0000000000580000-0x0000000000DEE000-memory.dmp

memory/3600-0-0x0000000001490000-0x0000000001491000-memory.dmp

memory/3600-3-0x0000000000580000-0x0000000000DEE000-memory.dmp

memory/3600-5-0x0000000003760000-0x0000000003AF2000-memory.dmp

memory/3600-6-0x0000000010000000-0x0000000010396000-memory.dmp

C:\Windows\Runn\Yloux.exe

MD5 0429f275b221c39db1980a9c0c138d88
SHA1 4b5a96f2f5127462b59fa5c8aa3285898284fd79
SHA256 15037c378cf027a87cc278e0390b01a35657f8412a0d1571db2d423a605af884
SHA512 d8f0d1139464a8c799b9fb662250d4cbf711b2c6611b24520943e9d877ab6379a5c3716e95c5e76d6a5593756dbb64eaca8ea1c668f5ec43f3e521c7fd16fcce

C:\windows\Runn\1.bin

MD5 2d3418c6602a6a952f665509558c4a5c
SHA1 2f701f0f121f13abecfc10311c5db1a63c227f72
SHA256 9f3d4d68da154c13657816aa787e6766fc28c8820da748aa4398daf7bc435e43
SHA512 d0b24e3c81a9bb08b45560d3a8389c2212059c525c617b66ef5bbe8a920851509de3d5982ecabdb432315d9b231f259efdaffc6d0fd7cea27c9d38a4c8dc7232

memory/632-25-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/3600-30-0x0000000000580000-0x0000000000DEE000-memory.dmp

memory/632-38-0x0000000180000000-0x0000000180033000-memory.dmp

memory/632-37-0x0000000180000000-0x0000000180033000-memory.dmp

memory/632-31-0x0000000180000000-0x0000000180033000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe

MD5 678061aa88499e4969dd4e341d63eef6
SHA1 20d409767676a0df088cb8a0e37a3585b28b828b
SHA256 20c54266295e8de4240e6382eda9462c4baf1526862673abec1c485dcad16767
SHA512 b3794386b336e6d4763bd0fa54318c2fc0eba0d2c36e63b81f61c252b1076cb68c22cdd6ce4b7f37d6a134f7e4e2d4fc17ce73eb3fc441f2fc33042f67152548

C:\Users\Admin\AppData\Local\Temp\{60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe

MD5 6400e6037af65b64957e9b6740c2f38a
SHA1 4b3f57efa3f67996a52b711b1378a1a010a9ae23
SHA256 1af3ded0e4e8ee365a4ee40b6e0b7d110767b4f02a15dc7304548996548b04fe
SHA512 e5614e1f4b450d4179bd925e5eb5f04977dbfb43f0a45e4b94e619804c5981e4650aba4144e566f75d09a341bffe422730bc63942589d818e30fd736c044f9e4

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 ff0c7c2667dff4f3ed588f40d047c642
SHA1 1162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA256 02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512 539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 2dfd4f9d3487d9650837dfb791257cff
SHA1 bf917cc1dc359d37ac5b9e3f41e972dce4a23682
SHA256 5ccaf7987672351b0b31d6fe79af9f5f44a0b4817b8826389992ba6eac341cd1
SHA512 ebbcf8f8095a4625659a15de91e80b14b43b607ae6a2eab55aef018ca3942f9a3b9a168e0a4e98096cfbfc125da3d2d872f8cb39eee7ec14e4afbad84bada87f

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 b41f2e813f22dc07d55a69743fe7b348
SHA1 d415dffd038e8ac046c8739de31f27e310bc3947
SHA256 4a4cb3fa898d2dd19f6ab8e9fb1ace3f9a2a64c95b1b4db8b7a31dcbce27c538
SHA512 97cec08f492c3bafe5a8fe7437cf906e27c01f40496ddd926c46d431b2d462bfeca0cc06ca4e545615d6eaacb9350aef29d1e5d9e32195747ccd39265e0fc8aa

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 6b567b6daf1252f2782d50a9cf6c77c9
SHA1 4a7357f1acc65ca025aef13d8dab4c02e024ae6d
SHA256 b3257a406a183d32b5641cb4c3c2dde9dd302554975555bd9e5ba0533476c5a2
SHA512 a69cef3a44215294ec6eb21b745974e86ff477e164627f03b23584d3af958fb012d0aa0552972cd541264dd9b500367bfacd3621d02e1e0d4735929c1010e6be

C:\Users\Admin\AppData\Local\Temp\{A21E22C3-E1AD-4808-BFB9-A80BA3620690}

MD5 72503c548709344f6069804ec45c670c
SHA1 867cb8ea8ba43869bce7eae2353b5d64bfdd59fb
SHA256 bbaa9746e7e3646a131221080ab17f4d9db4a4c7853bbf12e49fc0c168f44139
SHA512 1a2fea19ac316fd6e618ed1745856752582954256ff2777c4c4e921ba68a46cd7ba6bb81db861906a4d6e754f5aea6dcbbeea77f23c6e58469d89fb37b1e2843

memory/632-182-0x0000000180000000-0x0000000180033000-memory.dmp

memory/3600-184-0x0000000000580000-0x0000000000DEE000-memory.dmp

memory/632-186-0x0000000180000000-0x0000000180033000-memory.dmp

memory/632-185-0x0000000180000000-0x0000000180033000-memory.dmp

memory/632-188-0x0000000002C30000-0x0000000002C6E000-memory.dmp

memory/632-190-0x0000000002E70000-0x0000000002EB4000-memory.dmp

memory/632-187-0x0000000002E70000-0x0000000002EB4000-memory.dmp

memory/632-191-0x0000000002E70000-0x0000000002EB4000-memory.dmp

C:\windows\Runn\Yloux.exe

MD5 997ccbe621e8d137c19e13d1327c74a5
SHA1 9ba492542670293b5c16fc843b8046c313f3cf8d
SHA256 0132b8ea8623f709bc11ce55f15b14d51ea4f3eb5156a41efc35b777adcf4ad2
SHA512 185ea496e9231e6b9d26b593eb43ece6131cffc9df85d0bac08fe62ba7d1bd97f2763cd6d64dd3f96fe7ab8a0f5d45081d288da10ed625899c233813a2a53045

memory/632-192-0x0000000002E70000-0x0000000002EB4000-memory.dmp

memory/632-194-0x0000000000400000-0x0000000000456000-memory.dmp

memory/632-196-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/632-198-0x0000000002E70000-0x0000000002EB4000-memory.dmp

memory/632-201-0x0000000180000000-0x0000000180033000-memory.dmp

memory/632-202-0x0000000002E70000-0x0000000002EB4000-memory.dmp

memory/632-203-0x0000000180000000-0x0000000180033000-memory.dmp

memory/632-205-0x0000000002E70000-0x0000000002EB4000-memory.dmp

memory/632-211-0x0000000002E70000-0x0000000002EB4000-memory.dmp

memory/632-213-0x0000000002E70000-0x0000000002EB4000-memory.dmp