Malware Analysis Report

2024-11-30 02:34

Sample ID 241023-b5l31axakk
Target Requirements.scr
SHA256 72404ecb9dff0bbdb1296b7be79515ebf9323101374385476c282812517c43d9
Tags
amadey lumma rhadamanthys 76a1c5 discovery execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72404ecb9dff0bbdb1296b7be79515ebf9323101374385476c282812517c43d9

Threat Level: Known bad

The file Requirements.scr was found to be: Known bad.

Malicious Activity Summary

amadey lumma rhadamanthys 76a1c5 discovery execution stealer trojan

Lumma Stealer, LummaC

Amadey

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-23 01:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-23 01:43

Reported

2024-10-23 01:56

Platform

win10v2004-20241007-en

Max time kernel

591s

Max time network

584s

Command Line

sihost.exe

Signatures

Amadey

trojan amadey

Lumma Stealer, LummaC

stealer lumma

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2832 created 2824 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\sihost.exe

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Requirements.scr N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2180 set thread context of 3896 N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 set thread context of 3088 N/A C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 set thread context of 2840 N/A C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe C:\Windows\SysWOW64\cmd.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Requirements.scr N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 456 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
PID 456 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
PID 456 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
PID 456 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 456 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 456 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2180 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 4392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2148 wrote to memory of 4392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2148 wrote to memory of 4392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 4556 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4392 wrote to memory of 716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\Requirements.scr

"C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S

C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe

"C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe" /S

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Requirements.pdf"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E746A7293CEB6D3BE8196BAFEC30902E --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A4C0A137AC080B4B4D9B0DE2B2077A39 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A4C0A137AC080B4B4D9B0DE2B2077A39 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4C980F0E0586547596F8F183F34A1692 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4C980F0E0586547596F8F183F34A1692 --renderer-client-id=4 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ACBD00D949547E0DA1219F59E79B9468 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8915A0BBC33D070C4756934AFFF30BC3 --mojo-platform-channel-handle=2800 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2809791575C2EFE025948F4BD2727F27 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe" /S

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\'

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe

"C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe" /S

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\'

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe

"C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 177.192.25.184.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 185.208.158.96:80 185.208.158.96 tcp
NL 185.208.158.96:80 185.208.158.96 tcp
US 8.8.8.8:53 96.158.208.185.in-addr.arpa udp
US 8.8.8.8:53 transfer-files.digital udp
US 172.67.136.106:443 transfer-files.digital tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 106.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 172.67.136.106:443 transfer-files.digital tcp
US 8.8.8.8:53 remindydivir.biz udp
US 104.21.4.104:443 remindydivir.biz tcp
US 8.8.8.8:53 104.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 mathcucom.sbs udp
US 8.8.8.8:53 allocatinow.sbs udp
US 8.8.8.8:53 enlargkiw.sbs udp
US 8.8.8.8:53 resinedyw.sbs udp
US 8.8.8.8:53 vennurviot.sbs udp
US 8.8.8.8:53 ehticsprocw.sbs udp
US 8.8.8.8:53 condifendteu.sbs udp
US 8.8.8.8:53 drawwyobstacw.sbs udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
NL 185.208.158.96:80 185.208.158.96 tcp
NL 185.208.158.96:80 185.208.158.96 tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
NL 185.208.158.96:80 185.208.158.96 tcp
NL 185.208.158.96:80 185.208.158.96 tcp

Files

C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe

MD5 537915708fe4e81e18e99d5104b353ed
SHA1 128ddb7096e5b748c72dc13f55b593d8d20aa3fb
SHA256 6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74
SHA512 9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

C:\Users\Admin\AppData\Local\Programs\WinRAR\msncore.dll

MD5 deaa38a71c85d2f9d4ba71343d1603da
SHA1 bdbb492512cee480794e761d1bea718db14013ec
SHA256 1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65
SHA512 87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7

C:\Users\Admin\AppData\Local\Programs\WinRAR\contactsUX.dll

MD5 54ee6a204238313dc6aca21c7e036c17
SHA1 531fd1c18e2e4984c72334eb56af78a1048da6c7
SHA256 0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd
SHA512 19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

C:\Users\Admin\AppData\Local\Programs\WinRAR\msidcrl40.dll

MD5 f1f8d156bbdd5945a4f933ac7fa7cc41
SHA1 e581235e9f1a3a8a63b8a470eaed882bc93b9085
SHA256 344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a
SHA512 86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9

C:\Users\Admin\AppData\Local\Programs\WinRAR\gld

MD5 06a62106f0d01ed3a971415b57366a8b
SHA1 9d905a38a4f53961a3828b2f759062b428dd25a9
SHA256 6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93
SHA512 4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74

C:\Users\Admin\AppData\Local\Programs\WinRAR\bqbr

MD5 d1dd94b6d3c47bf394de95221842cbed
SHA1 42717a7086e0b3f9539948ea2c80e57739c5879a
SHA256 ea0f82414408da76de7706b137551a76b0adb4a7282d45a82c0d61b6c88f4706
SHA512 0c3fc772cda18b3a41eb152a45c32ef83b148914ec5d042242bb4fe66baf7612ea58389fae05258fab4ee9c0e4bfd041c959f57dc24781b72e0b4e7501f112b5

memory/2180-103-0x00000000727F0000-0x000000007296B000-memory.dmp

memory/2180-104-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinRAR\msvcr80.dll

MD5 43143abb001d4211fab627c136124a44
SHA1 edb99760ae04bfe68aaacf34eb0287a3c10ec885
SHA256 cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
SHA512 ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

C:\Users\Admin\AppData\Local\Temp\Requirements.pdf

MD5 720b78ca59dbb0e1b885f47b9c4eebd3
SHA1 98629bc8c27329023931d158d2ab879e8136b5ff
SHA256 73300eda96e39870895468cf7a7b90616b37d5d7673671c89db1776c192ed2be
SHA512 ee22206441b41881acbae939dba2f4269e652782ba485963f81d3ae2aedd3838bba2a673de502a367cdc5f1a8c33a08e120495a473d617f2ec049fa5f0be17ac

memory/2180-119-0x00000000727F0000-0x000000007296B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ef14339e

MD5 3e8a24b9eb3227e503aaabac47112844
SHA1 e5c8331f33eaf4ef11ef7b3a93075a2dc502863f
SHA256 8d5da5f1689fc16761a843238a47a9d48f2783e86a1485c8ec62eb7474125008
SHA512 8f2bd93a49a0836e9df3bbe08b3e225b5522731dc975870ce4bc4f3206212be5dce18801ba5b1b1b7159d2311b610a8e32b3c5fca4a67c9cde2885351cd989cc

memory/3896-143-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp

memory/3896-144-0x00000000727F0000-0x000000007296B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 cfc8488f218b74ade9b7f3aa6185a8cb
SHA1 97e30529d6fec986f85fac3a12e59968a2da507e
SHA256 6892fd3b1a5a5d5be6a8328091e50fe66036ac76d07158f3e607735ef9071ec8
SHA512 d5a89c938330f9480e9d4e60eea1a9375bf89e954f3d2dc735e2a4d59c543c6cc0d5059406b46fa238b5df1fffad15872728bcdb133ea96ba61344a93d12a9e7

memory/3896-242-0x00000000727F0000-0x000000007296B000-memory.dmp

memory/3032-244-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp

memory/3032-245-0x0000000001240000-0x00000000012D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\045521122590

MD5 8fb8c82e5a87075a040684472c83c809
SHA1 d9881bc893abfb739f26e6a9e8f319a132e47287
SHA256 dd61d59a5c041ac563a7083ae06b64d1bd3821ae1abad0bfc4e470cf834a7a9a
SHA512 46bb9d8f2a6f3970f6bf370bdb87336002c48748d338e6cbb6ecee6835dca71ccaaf6e4184f3636bf3ecbd224a8a8b5b0a2efa84fd69519a764821ca10ff591a

memory/3032-259-0x0000000001240000-0x00000000012D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip

MD5 f169e93956f90c9b4fee4800e4fb655f
SHA1 fb0005f2d2213f1e486c3d1c2992cf35b8450591
SHA256 61205f3d3b64a36565e557eb3f16f1a0cd031852ce7c1dd13e879cca611d2da1
SHA512 ee86a4447bf986ebaeebdf47b332973b25071b5f4e16067e44064d82ad5827b38c89faf4eda12a92ad7cfabee78f1ae01b3acfff9650c37b34f63e651ab28c38

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rz0ioqbd.zgg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/844-267-0x000001AD5B290000-0x000001AD5B2B2000-memory.dmp

memory/844-277-0x000001AD5B660000-0x000001AD5B672000-memory.dmp

memory/844-278-0x000001AD5B640000-0x000001AD5B64A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe

MD5 e634616d3b445fc1cd55ee79cf5326ea
SHA1 ca27a368d87bc776884322ca996f3b24e20645f4
SHA256 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937
SHA512 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlc.dll

MD5 4b262612db64f26ea1168ca569811110
SHA1 8e59964d1302a3109513cd4fd22c1f313e79654c
SHA256 a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f
SHA512 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlccore.dll

MD5 c39b26fd913f74e1b80df54a3c58cfb7
SHA1 d81a62a78fbe5294c9298721e588ed9b38aafd9e
SHA256 eafae6c93e6e49310d13f80b76de3286ad6027624416543fbd65f8f0b0541e68
SHA512 4fbd067c88405b5541da6ddb1fa6c7d09a327d008c5494674124bf8fe3641d328e6ac0ee95b84b6368be796e249d633842a4ef5f0db71ce5cbb449089175fd48

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\dqhq

MD5 b23152452b6c798ee1b57352cc5ebce1
SHA1 219a30751cda0df049fecc8247daf34fe57d1f4a
SHA256 c513a651c736cdb3acbc7fad1612c544bf14b658dd4db62ea7eb434d8393f83a
SHA512 c951a6e46c4f7d86553dfb2d796e68fd6cb197114155c61e8898e6d792ec87cc18a326097cf140874473e6e33cced35d6a87aea93894a59e3da35f27862e177d

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\hcsjm

MD5 d272096a4ad0ba0c3001c21804b11835
SHA1 3b3933a81cf97301e1e1a4f3c37df2dbb32d3679
SHA256 975412a4da13058af093ad1c18dc985428bebd0f2fc730e6195948e69154d65f
SHA512 6c837d5638fdeed4ce2e579019c8ee85a2f751393530a286396dce30cfc7db4c336515f4fd94fd1b7cf0ee93a1366bcfa7acc6e62e459382f3553bf2d55c2c48

memory/1140-300-0x00007FFA899E0000-0x00007FFA89B52000-memory.dmp

memory/3032-301-0x0000000001240000-0x00000000012D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip

MD5 a290dd693643ce7538594c8aa6bbac51
SHA1 3ae44b4b5eee78a1fea842c8bf4b32680f6ea314
SHA256 c690b5e7135fcd3629d5bb1b0386ff043f02125408da719b16a672dc7b16b4a0
SHA512 088466010489357179114d46f4df01c635e7e2aa28e78210d93b641f23b4bbf588ddf51a44a31cebcedfa8709b8c7bdde089bb9f27a7decfb5838869b4b32d02

memory/1140-313-0x00007FFA899E0000-0x00007FFA89B52000-memory.dmp

memory/1140-315-0x00007FF7837A0000-0x00007FF783898000-memory.dmp

memory/1140-316-0x00007FFA9E2F0000-0x00007FFA9E324000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13ff6614

MD5 df65187c4c11e6050bf6b20c8ffa78ad
SHA1 413645ac3b623a61c6e559d153e5f3fe2a1b4e04
SHA256 f371aa1a22f012566e056980d28b308cbc8c5e476ded82de72f7049a7b256567
SHA512 3c550f40e71fc54d1d380c7b08fe2a9660390ccc240629a7e02f70e2a30a9ab9c1b68a3069c7d3f7c0a667fa9aa13f667af27b91b73d214803c3dedfcbd14599

memory/1140-317-0x00007FFA89B60000-0x00007FFA89E15000-memory.dmp

memory/3088-319-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp

memory/3032-320-0x0000000001240000-0x00000000012D4000-memory.dmp

memory/3088-321-0x0000000067F70000-0x00000000680EB000-memory.dmp

memory/2832-324-0x0000000000A70000-0x0000000000AF0000-memory.dmp

memory/2832-325-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp

memory/2832-326-0x0000000000A70000-0x0000000000AF0000-memory.dmp

memory/2832-329-0x0000000003FE0000-0x00000000043E0000-memory.dmp

memory/2832-330-0x0000000003FE0000-0x00000000043E0000-memory.dmp

memory/2832-333-0x0000000075DE0000-0x0000000075FF5000-memory.dmp

memory/4896-334-0x00000000003C0000-0x00000000003C9000-memory.dmp

memory/2832-336-0x0000000000A70000-0x0000000000AF0000-memory.dmp

memory/4896-338-0x0000000002330000-0x0000000002730000-memory.dmp

memory/4896-339-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp

memory/4896-341-0x0000000075DE0000-0x0000000075FF5000-memory.dmp

memory/3032-342-0x0000000001240000-0x00000000012D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip

MD5 e0a6c369447034f1b7f2749620c420cc
SHA1 15b88a23dca33d84bdb2c256e67aee6705a4f122
SHA256 3e13e72c418b133c27a1c5aa85cf76f803ab2642b22b473d27de4a1449890603
SHA512 374e851b931cee58aa31b6ab215dc94d85a9251e1e60d43e6c21edbf657983bb37148681b20d2d518c4001624caebbd588d3bfa59506900e11a8003765cb379a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fe3aab3ae544a134b68e881b82b70169
SHA1 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256 bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA512 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0912bdcdbfa8d76ed3ab2ff4d8aa479d
SHA1 5a4debb7128aff994c0f1024f62e7aa5714352c8
SHA256 00e4b652fa67392304e72b044806f909ac2ede9efed271f304e060b13ee1da1e
SHA512 f276b688c1661fcebec6750637329256ef166b57527066c5bdc70bdb9fa4959d446e240d1b0ee80ef4491c796c1afe23e18833f29f37e335083c62ccb91d90ae

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe

MD5 ba99b11a84a19051eca441320af22f4e
SHA1 bb3a700fa2676d0223444a81796c7b21aa191ca8
SHA256 e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f
SHA512 e6e0541c121dc3260d4c48d1d788eff122a947c6ea8cd7da538edf6fd5f46cd37ee96f2c431575e31338ef93a5e21c81c51057734e29eec3814d4cd5100038e9

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxOGLhostcrutil.dll

MD5 d01bfdcb832e310af8b74b9613741144
SHA1 88dcf21940f852e60026f3994b7cd6d4f2246e45
SHA256 943187c2fb090849721985a6119b3440180f7274bc752326a56f3c7862322bef
SHA512 ac3b9fb49967736fb1daa4bc9de62a7d4707a7f6c7b20ac20fadcb4a3e6f7e5e0542ad68f766c604f123f2400487043a1c531352846db2e08f808bae31ea9ada

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxRT.dll

MD5 31e7657643d832681fee0e303e25ee52
SHA1 0756c911a602cfe2f094104d1c10a2d014c52e59
SHA256 7328aeb5cec65215e5462c1ea4d69a6383fb77605ccb84c60fdb90d6d0b3c0f4
SHA512 542ecead0a1d54de9300220799b1bbaf5e304fafa95c4ce130f0003a5c693adcf1c3140d67e6721c1cbc576989597bff7353727cec95ac289f563e1aee1ec9c2

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtCoreVBox4.dll

MD5 96123f5c43b67b168840b1c548e8bcce
SHA1 e3e17aa08ea61e3bc7312c37da766db1f166fb83
SHA256 2473eaee17b4d730f2d9be74c3c2ab491f62cbbd68be43cf10a9ca04efcaef5b
SHA512 df974aeceeac2e72424e775674ffbc5a7ced9cf3b90135e3d6decd3fffa0d56b24a175cde6c2aa59a98f93cfa957c790b2b95303bccd4a37aa53a4deccc5ba92

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\MSVCR100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtGuiVBox4.dll

MD5 e74d017961a50822825aa733c6196efc
SHA1 4db6e896e19d43927377209b14e4abd928264671
SHA256 b13e868e0da8d43519b8694074bf70a8b90f9f1c27a89f168766f2fd435721be
SHA512 5750ff404c2835fb9df0512e1551b20b8f191280d8436fc196605931a40d8ca124a0e5686d9fe3a7b3dbd6cd9d81e13353a4d28d9669f859322ab66fe28cf8cf

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtOpenGLVBox4.dll

MD5 4fc7c92babfa0c6c8341a57b63660058
SHA1 d5aad499f6abcb94bfec8509790fb81375ebefb2
SHA256 909481124b55b069b2ac196148514522853c849a80d4cbc7136e498dc77f34a1
SHA512 6602af365d6c7642409d95878e07c2f7054eab76794f51ff10a88388d1e292779cd3cbddea280d43eaa5bdc71661325e2da07020a2b481c32ba330d41e387b46

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\MSVCP100.dll

MD5 4f096d96285e06cd51aef7d2d3de04da
SHA1 c90ef0eb5b1a0b1b85ad6792291747fb6307dcdb
SHA256 5bb420fbe28315f2117376052bb8488ce84a3398dda65005b8ae1f792017e9a8
SHA512 80f558c50a71ad9c4930b3838b481e4fb453c38d57c91f7f70c1f86e4043b9a4fbcec27d7c025285504cbf3bde7c50b4770f18121d7818ac58e2ee9c2071f97c

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\oivfk

MD5 6f40f246a78ef46dd8df58d64e8fb51a
SHA1 6878766db27f7810cba58ad3e1c0e862dbf6fcca
SHA256 24bc3325b3cbddb6f69f34845d9e7c2bbf6ecff9f631d5d8642b15419846b07b
SHA512 20a11fcf8f19f4eb4b5114e6fe4f3d468f22147c2114d23b180c0294da5206e189ce57a5bfed332f5c5b0484dd6cb4dea6b9d528be7d5a0f51d4ee3a5f3ccc14

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\qkyv

MD5 757b60d1b085d26b2d312a04dea9a84f
SHA1 1e1eda4a0e13ad16c2251bb4d95d615e979db944
SHA256 292f1ef0342e06ae83fec5da98b1e58d1737c8f1614bb71eb3395c5a150ec701
SHA512 a8e706e74b1edf6599e75dff7d43a143f87d0c31e3733394ffe2437af7ec323c92c34b8298f8ed91ff795ea581c10a2902e4cde90511cdc340023c9b5da05e51

memory/4556-434-0x00007FFA898E0000-0x00007FFA89A52000-memory.dmp

memory/3032-435-0x0000000001240000-0x00000000012D4000-memory.dmp

memory/4556-436-0x00007FFA898E0000-0x00007FFA89A52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a737e43b

MD5 4f5f1eb10d832b9b39412202d26b41c6
SHA1 f27255bc361174b6b3959f703de1a975900521b7
SHA256 bfffc6a7456008b22211dcb552cb1ffcc89cf2a384453887a08ad7d30b6717f0
SHA512 9efb70109e55eac9fa176d902c90a5cd8ed2f632afc9d8c0f11cc0068566aaf707bdc289952e3acbe3ed10cf356aef99080cd3c52a493717f9e6c9c2e0809746

memory/2840-439-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp

memory/2840-441-0x00000000754C0000-0x000000007563B000-memory.dmp

memory/4784-444-0x00007FFAA8310000-0x00007FFAA8505000-memory.dmp

memory/4784-445-0x0000000000BC0000-0x0000000000C23000-memory.dmp

memory/4784-447-0x0000000000BC0000-0x0000000000C23000-memory.dmp

memory/4784-449-0x0000000000BC0000-0x0000000000C23000-memory.dmp

memory/3032-460-0x0000000001240000-0x00000000012D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\045521122590

MD5 2b6f9902ceec7d6264f465d61cd46633
SHA1 1c86a28bd2f6ccdbac42e1b8a478be8a7b7faaf3
SHA256 3348302e7cd8d97352761b55eb218fa0ada1634ae6b1f3daa22a203d2f7654f7
SHA512 c2937e92c1b0ff23d88e07cbc9ff38085d7f0110a9e7bb78129ce3e5c36ac3329b6ea3777bf5361bfa41ffc2d3b8c1203fed073c1330766c1b5e2410085c5fb7

memory/3032-467-0x0000000001240000-0x00000000012D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\045521122590

MD5 e0ad0696b5050938000193d4f87aa5af
SHA1 cd29c81ff8e661424296b6f384414a2c56b7155f
SHA256 488cc55af4405835c3b3606f54b9b69e895041e14810a45b9299717be0e02d08
SHA512 df4e286d9a9da5d2e75e5ca3b9ae65124428959705cb2f9d797a3a46df3bdbdee73e1b2ec39eba4bcffb12960863b504ded1fa8a50b3676ea8957f8168e63c53

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-23 01:43

Reported

2024-10-23 01:56

Platform

win11-20241007-en

Max time kernel

591s

Max time network

579s

Command Line

sihost.exe

Signatures

Amadey

trojan amadey

Lumma Stealer, LummaC

stealer lumma

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4584 created 1088 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\sihost.exe
PID 4460 created 1088 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\sihost.exe

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Requirements.scr N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2832 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
PID 2832 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
PID 2832 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe
PID 2832 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2832 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2832 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Requirements.scr C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 240 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 1820 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2936 wrote to memory of 1820 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2936 wrote to memory of 1820 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 3140 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1820 wrote to memory of 236 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\Requirements.scr

"C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Requirements.scr

"C:\Users\Admin\AppData\Local\Temp\Requirements.scr" /S

C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe

"C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe" /S

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Requirements.pdf"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6E056330C8D9E71F750796BEA01EF4EB --mojo-platform-channel-handle=1792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=81700D0C8B53F6656E60BE73FD1B8D2B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=81700D0C8B53F6656E60BE73FD1B8D2B --renderer-client-id=2 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7ED7C0F9210873451B199414A8FCC9EF --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=01E2EC2CF6ED0D58DA7B1952FE24CDFF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=01E2EC2CF6ED0D58DA7B1952FE24CDFF --renderer-client-id=5 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06BD84C10AB835DD0468A3733EA03572 --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2DB0B463CDBDCBDC3DE4FDBAE4BEB6D8 --mojo-platform-channel-handle=2812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe" /S

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\'

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe

"C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe" /S

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\'

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe

"C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe" /S

Network

Country Destination Domain Proto
GB 104.86.110.114:443 tcp
GB 104.86.110.114:443 tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 20.44.10.122:443 browser.pipe.aria.microsoft.com tcp
GB 2.18.27.82:443 www.bing.com tcp
NL 185.208.158.96:80 185.208.158.96 tcp
NL 185.208.158.96:80 185.208.158.96 tcp
US 104.21.46.78:443 transfer-files.digital tcp
GB 142.250.178.3:80 c.pki.goog tcp
US 104.21.46.78:443 transfer-files.digital tcp
US 104.21.4.104:443 remindydivir.biz tcp
US 8.8.8.8:53 condifendteu.sbs udp
GB 23.214.143.155:443 steamcommunity.com tcp
NL 185.208.158.96:80 185.208.158.96 tcp
NL 185.208.158.96:80 185.208.158.96 tcp
NL 185.208.158.96:80 185.208.158.96 tcp
NL 185.208.158.96:80 185.208.158.96 tcp

Files

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a6f494e1-181f-43ae-8081-58780b6f2a46.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

C:\Users\Admin\AppData\Local\Programs\WinRAR\WinRar64.exe

MD5 537915708fe4e81e18e99d5104b353ed
SHA1 128ddb7096e5b748c72dc13f55b593d8d20aa3fb
SHA256 6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74
SHA512 9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

C:\Users\Admin\AppData\Local\Programs\WinRAR\MSNCore.dll

MD5 deaa38a71c85d2f9d4ba71343d1603da
SHA1 bdbb492512cee480794e761d1bea718db14013ec
SHA256 1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65
SHA512 87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7

C:\Users\Admin\AppData\Local\Programs\WinRAR\contactsUX.dll

MD5 54ee6a204238313dc6aca21c7e036c17
SHA1 531fd1c18e2e4984c72334eb56af78a1048da6c7
SHA256 0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd
SHA512 19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

C:\Users\Admin\AppData\Local\Programs\WinRAR\msidcrl40.dll

MD5 f1f8d156bbdd5945a4f933ac7fa7cc41
SHA1 e581235e9f1a3a8a63b8a470eaed882bc93b9085
SHA256 344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a
SHA512 86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9

C:\Users\Admin\AppData\Local\Programs\WinRAR\gld

MD5 06a62106f0d01ed3a971415b57366a8b
SHA1 9d905a38a4f53961a3828b2f759062b428dd25a9
SHA256 6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93
SHA512 4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74

C:\Users\Admin\AppData\Local\Programs\WinRAR\bqbr

MD5 d1dd94b6d3c47bf394de95221842cbed
SHA1 42717a7086e0b3f9539948ea2c80e57739c5879a
SHA256 ea0f82414408da76de7706b137551a76b0adb4a7282d45a82c0d61b6c88f4706
SHA512 0c3fc772cda18b3a41eb152a45c32ef83b148914ec5d042242bb4fe66baf7612ea58389fae05258fab4ee9c0e4bfd041c959f57dc24781b72e0b4e7501f112b5

memory/240-109-0x0000000072580000-0x00000000726FD000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\WinRAR\msvcr80.dll

MD5 43143abb001d4211fab627c136124a44
SHA1 edb99760ae04bfe68aaacf34eb0287a3c10ec885
SHA256 cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
SHA512 ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

memory/240-110-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Requirements.pdf

MD5 720b78ca59dbb0e1b885f47b9c4eebd3
SHA1 98629bc8c27329023931d158d2ab879e8136b5ff
SHA256 73300eda96e39870895468cf7a7b90616b37d5d7673671c89db1776c192ed2be
SHA512 ee22206441b41881acbae939dba2f4269e652782ba485963f81d3ae2aedd3838bba2a673de502a367cdc5f1a8c33a08e120495a473d617f2ec049fa5f0be17ac

C:\Users\Admin\AppData\Local\Temp\ee86145a

MD5 f4fa068cc3baa836a3b6ff22a16800ce
SHA1 0e3b30758eacc47c33f2d8ad9f204ccc0253e906
SHA256 c4d608ec5fb6417ad2a142a07ea80b92f741bcb093783cf789ffd789b3a26ab9
SHA512 477b5e7c0a86075a19254c566de67145cfd06837d6c3cd40db580a1e879b651f5c79d707ee7fc834a3e8246ad4a634121c1e39ab5d0793859a75740bcc541794

memory/240-141-0x0000000072580000-0x00000000726FD000-memory.dmp

memory/4648-151-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/4648-152-0x0000000072580000-0x00000000726FD000-memory.dmp

memory/4648-168-0x0000000072580000-0x00000000726FD000-memory.dmp

memory/2732-170-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/2732-171-0x0000000000600000-0x0000000000694000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\565375082730

MD5 fbc92c076d7805c946c1210ce0d34060
SHA1 4556aec1443769a358e43971b0f34224c4e4f761
SHA256 05ed6ec7282fe3593fe09a98bd608b7c74b65b041241a3b482bb86988d5c045b
SHA512 02f5d0d2c66311b5e4492b2a3b8f29672a379cbf514dfa45ea62e18fa317b37b4ac4d80ce80a1ec53eef3ee37006382f63f96fb9215834e28df4ff07d63dcc25

memory/2732-185-0x0000000000600000-0x0000000000694000-memory.dmp

memory/4584-186-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4584-187-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4584-188-0x0000000004260000-0x0000000004660000-memory.dmp

memory/4584-189-0x0000000004260000-0x0000000004660000-memory.dmp

memory/2364-193-0x00000000008D0000-0x00000000008D9000-memory.dmp

memory/4584-192-0x0000000077510000-0x0000000077762000-memory.dmp

memory/4584-190-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/2364-195-0x0000000002950000-0x0000000002D50000-memory.dmp

memory/2364-196-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/2364-198-0x0000000077510000-0x0000000077762000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN.zip

MD5 f169e93956f90c9b4fee4800e4fb655f
SHA1 fb0005f2d2213f1e486c3d1c2992cf35b8450591
SHA256 61205f3d3b64a36565e557eb3f16f1a0cd031852ce7c1dd13e879cca611d2da1
SHA512 ee86a4447bf986ebaeebdf47b332973b25071b5f4e16067e44064d82ad5827b38c89faf4eda12a92ad7cfabee78f1ae01b3acfff9650c37b34f63e651ab28c38

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jp4avmvu.rtn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3764-206-0x000001C9CD1B0000-0x000001C9CD1D2000-memory.dmp

memory/3764-216-0x000001C9CD260000-0x000001C9CD26A000-memory.dmp

memory/3764-215-0x000001C9CD5F0000-0x000001C9CD602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\vlc.exe

MD5 e634616d3b445fc1cd55ee79cf5326ea
SHA1 ca27a368d87bc776884322ca996f3b24e20645f4
SHA256 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937
SHA512 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlccore.dll

MD5 c39b26fd913f74e1b80df54a3c58cfb7
SHA1 d81a62a78fbe5294c9298721e588ed9b38aafd9e
SHA256 eafae6c93e6e49310d13f80b76de3286ad6027624416543fbd65f8f0b0541e68
SHA512 4fbd067c88405b5541da6ddb1fa6c7d09a327d008c5494674124bf8fe3641d328e6ac0ee95b84b6368be796e249d633842a4ef5f0db71ce5cbb449089175fd48

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\libvlc.dll

MD5 4b262612db64f26ea1168ca569811110
SHA1 8e59964d1302a3109513cd4fd22c1f313e79654c
SHA256 a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f
SHA512 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\dqhq

MD5 b23152452b6c798ee1b57352cc5ebce1
SHA1 219a30751cda0df049fecc8247daf34fe57d1f4a
SHA256 c513a651c736cdb3acbc7fad1612c544bf14b658dd4db62ea7eb434d8393f83a
SHA512 c951a6e46c4f7d86553dfb2d796e68fd6cb197114155c61e8898e6d792ec87cc18a326097cf140874473e6e33cced35d6a87aea93894a59e3da35f27862e177d

C:\Users\Admin\AppData\Local\Temp\10000120261\LXN\hcsjm

MD5 d272096a4ad0ba0c3001c21804b11835
SHA1 3b3933a81cf97301e1e1a4f3c37df2dbb32d3679
SHA256 975412a4da13058af093ad1c18dc985428bebd0f2fc730e6195948e69154d65f
SHA512 6c837d5638fdeed4ce2e579019c8ee85a2f751393530a286396dce30cfc7db4c336515f4fd94fd1b7cf0ee93a1366bcfa7acc6e62e459382f3553bf2d55c2c48

memory/4548-238-0x00007FFB4D350000-0x00007FFB4D4CA000-memory.dmp

memory/2732-239-0x0000000000600000-0x0000000000694000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000731261\urituaiskdjfg.zip

MD5 cb106cb03334fff181d51a71637a2a6c
SHA1 0cea6bb69e925f00c7d334cf58b46b9d4cb6cb37
SHA256 db462a4becbd5ce94f72d91b9f0bd0e1b2dbc9220094d710747b4ca39e3a72f7
SHA512 9f66fb7db9fc5a3274c1a88c4c4d7152aa7aec8e0ed6abbd6fe88bd9444eed57055df8b2e7254c222848b00a6643b94e12c610f94b6fc68a566ce18322d27661

memory/4548-251-0x00007FFB4D350000-0x00007FFB4D4CA000-memory.dmp

memory/4548-255-0x00007FFB4D700000-0x00007FFB4D9B5000-memory.dmp

memory/4548-253-0x00007FF6360C0000-0x00007FF6361B8000-memory.dmp

memory/4548-254-0x00007FFB65A40000-0x00007FFB65A74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d96bc47

MD5 eb5c4122508c1a7de85149b3f994f8e1
SHA1 d4e41b7a785a802df396de59501a4b995433c40b
SHA256 6d1d1b7f5886cbc1a5e3674964f4bafabdd0ddac779811bb9632e42d8b67396a
SHA512 e40341d71cbda6bc62b24b48608642066d4efd2498472b481a8616ba36fd15b223a24dee988fb05be66e94484b8441bf968896c3fd8d6c73a9be7891e2f4f1e2

memory/1592-257-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/2732-258-0x0000000000600000-0x0000000000694000-memory.dmp

memory/1592-259-0x0000000072C10000-0x0000000072D8D000-memory.dmp

memory/4460-262-0x0000000000630000-0x00000000006B0000-memory.dmp

memory/4460-263-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/4460-264-0x0000000000630000-0x00000000006B0000-memory.dmp

memory/4460-267-0x0000000000630000-0x00000000006B0000-memory.dmp

memory/4460-269-0x0000000004D30000-0x0000000005130000-memory.dmp

memory/4460-272-0x0000000077510000-0x0000000077762000-memory.dmp

memory/4248-277-0x0000000002AF0000-0x0000000002EF0000-memory.dmp

memory/4460-275-0x0000000000630000-0x00000000006B0000-memory.dmp

memory/4248-278-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/4248-280-0x0000000077510000-0x0000000077762000-memory.dmp

memory/2732-282-0x0000000000600000-0x0000000000694000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP.zip

MD5 e0a6c369447034f1b7f2749620c420cc
SHA1 15b88a23dca33d84bdb2c256e67aee6705a4f122
SHA256 3e13e72c418b133c27a1c5aa85cf76f803ab2642b22b473d27de4a1449890603
SHA512 374e851b931cee58aa31b6ab215dc94d85a9251e1e60d43e6c21edbf657983bb37148681b20d2d518c4001624caebbd588d3bfa59506900e11a8003765cb379a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ae626d9a72417b14570daa8fcd5d34a4
SHA1 c103ebaf4d760df722d620df87e6f07c0486439f
SHA256 52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512 a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b58e6de9cf9aa1c43c15c4e5bacebd1
SHA1 706600fc3b8d7551ff18452f1025e8a0480b3e6d
SHA256 e04e22e7bcc9ddb67fb534f1eb10e4af31d9f07d0c6f2b54d133dd5996ba0be9
SHA512 dbef32d4a09bb46e999a7bee2aec0e54431dec644f54aa9a1e9833a1b0ee340589ee76cd32e2b5fddb6fc64e641777c96e43cc93d2e805f8443d58ef5a4095fe

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxTestOGL.exe

MD5 ba99b11a84a19051eca441320af22f4e
SHA1 bb3a700fa2676d0223444a81796c7b21aa191ca8
SHA256 e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f
SHA512 e6e0541c121dc3260d4c48d1d788eff122a947c6ea8cd7da538edf6fd5f46cd37ee96f2c431575e31338ef93a5e21c81c51057734e29eec3814d4cd5100038e9

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxRT.dll

MD5 31e7657643d832681fee0e303e25ee52
SHA1 0756c911a602cfe2f094104d1c10a2d014c52e59
SHA256 7328aeb5cec65215e5462c1ea4d69a6383fb77605ccb84c60fdb90d6d0b3c0f4
SHA512 542ecead0a1d54de9300220799b1bbaf5e304fafa95c4ce130f0003a5c693adcf1c3140d67e6721c1cbc576989597bff7353727cec95ac289f563e1aee1ec9c2

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\VBoxOGLhostcrutil.dll

MD5 d01bfdcb832e310af8b74b9613741144
SHA1 88dcf21940f852e60026f3994b7cd6d4f2246e45
SHA256 943187c2fb090849721985a6119b3440180f7274bc752326a56f3c7862322bef
SHA512 ac3b9fb49967736fb1daa4bc9de62a7d4707a7f6c7b20ac20fadcb4a3e6f7e5e0542ad68f766c604f123f2400487043a1c531352846db2e08f808bae31ea9ada

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\msvcp100.dll

MD5 4f096d96285e06cd51aef7d2d3de04da
SHA1 c90ef0eb5b1a0b1b85ad6792291747fb6307dcdb
SHA256 5bb420fbe28315f2117376052bb8488ce84a3398dda65005b8ae1f792017e9a8
SHA512 80f558c50a71ad9c4930b3838b481e4fb453c38d57c91f7f70c1f86e4043b9a4fbcec27d7c025285504cbf3bde7c50b4770f18121d7818ac58e2ee9c2071f97c

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\oivfk

MD5 6f40f246a78ef46dd8df58d64e8fb51a
SHA1 6878766db27f7810cba58ad3e1c0e862dbf6fcca
SHA256 24bc3325b3cbddb6f69f34845d9e7c2bbf6ecff9f631d5d8642b15419846b07b
SHA512 20a11fcf8f19f4eb4b5114e6fe4f3d468f22147c2114d23b180c0294da5206e189ce57a5bfed332f5c5b0484dd6cb4dea6b9d528be7d5a0f51d4ee3a5f3ccc14

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\qkyv

MD5 757b60d1b085d26b2d312a04dea9a84f
SHA1 1e1eda4a0e13ad16c2251bb4d95d615e979db944
SHA256 292f1ef0342e06ae83fec5da98b1e58d1737c8f1614bb71eb3395c5a150ec701
SHA512 a8e706e74b1edf6599e75dff7d43a143f87d0c31e3733394ffe2437af7ec323c92c34b8298f8ed91ff795ea581c10a2902e4cde90511cdc340023c9b5da05e51

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtGuiVBox4.dll

MD5 e74d017961a50822825aa733c6196efc
SHA1 4db6e896e19d43927377209b14e4abd928264671
SHA256 b13e868e0da8d43519b8694074bf70a8b90f9f1c27a89f168766f2fd435721be
SHA512 5750ff404c2835fb9df0512e1551b20b8f191280d8436fc196605931a40d8ca124a0e5686d9fe3a7b3dbd6cd9d81e13353a4d28d9669f859322ab66fe28cf8cf

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtOpenGLVBox4.dll

MD5 4fc7c92babfa0c6c8341a57b63660058
SHA1 d5aad499f6abcb94bfec8509790fb81375ebefb2
SHA256 909481124b55b069b2ac196148514522853c849a80d4cbc7136e498dc77f34a1
SHA512 6602af365d6c7642409d95878e07c2f7054eab76794f51ff10a88388d1e292779cd3cbddea280d43eaa5bdc71661325e2da07020a2b481c32ba330d41e387b46

memory/3420-343-0x00007FFB4D1F0000-0x00007FFB4D36A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\QtCoreVBox4.dll

MD5 96123f5c43b67b168840b1c548e8bcce
SHA1 e3e17aa08ea61e3bc7312c37da766db1f166fb83
SHA256 2473eaee17b4d730f2d9be74c3c2ab491f62cbbd68be43cf10a9ca04efcaef5b
SHA512 df974aeceeac2e72424e775674ffbc5a7ced9cf3b90135e3d6decd3fffa0d56b24a175cde6c2aa59a98f93cfa957c790b2b95303bccd4a37aa53a4deccc5ba92

C:\Users\Admin\AppData\Local\Temp\10000900261\LM-LXN-ZIP\msvcr100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

memory/2732-344-0x0000000000600000-0x0000000000694000-memory.dmp

memory/3420-345-0x00007FFB4D1F0000-0x00007FFB4D36A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\914c3ea5

MD5 d662c681221bb432c9b309cbf3f2d5a1
SHA1 0dfe5af3b4cb5ed372826d827c8f9b53ccbb13fd
SHA256 45b7fef5f2b4e9d43c345be1abac013401a17707b8a33b229d356ea52202a364
SHA512 3d6002482f467b32562fd3501a6f1db85f32c093c0fba118158306f0ccde1b61c0d7fb3d72742f44190ae6891c9152edcf4786095072d22e75a36df691aef48a

memory/3856-348-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/4588-353-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/4588-354-0x00000000004F0000-0x0000000000553000-memory.dmp