Malware Analysis Report

2025-01-18 07:48

Sample ID 230813-mx5qxsdc8t
Target dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe
SHA256 dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179
Tags
amadey djvu fabookie redline smokeloader vidar d2840cabd9794f85353e1fae1cd95a0b lux3 pub1 backdoor discovery infostealer ransomware spyware stealer trojan logsdiller cloud (tg: @logsdillabot)
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179

Threat Level: Known bad

The file dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie redline smokeloader vidar d2840cabd9794f85353e1fae1cd95a0b lux3 pub1 backdoor discovery infostealer ransomware spyware stealer trojan logsdiller cloud (tg: @logsdillabot)

Detect Fabookie payload

Amadey

RedLine

Detected Djvu ransomware

SmokeLoader

Djvu Ransomware

Fabookie

Vidar

Downloads MZ/PE file

Loads dropped DLL

Modifies file permissions

Deletes itself

Executes dropped EXE

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-13 10:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-13 10:51

Reported

2023-08-13 10:54

Platform

win10v2004-20230703-en

Max time kernel

47s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3252 wrote to memory of 3108 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E34.exe
PID 3252 wrote to memory of 3108 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E34.exe
PID 3252 wrote to memory of 3108 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E34.exe
PID 3252 wrote to memory of 4684 N/A N/A C:\Users\Admin\AppData\Local\Temp\8103.exe
PID 3252 wrote to memory of 4684 N/A N/A C:\Users\Admin\AppData\Local\Temp\8103.exe
PID 3252 wrote to memory of 4684 N/A N/A C:\Users\Admin\AppData\Local\Temp\8103.exe
PID 3252 wrote to memory of 1152 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3252 wrote to memory of 1152 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1152 wrote to memory of 552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1152 wrote to memory of 552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1152 wrote to memory of 552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3252 wrote to memory of 560 N/A N/A C:\Users\Admin\AppData\Local\Temp\85D8.exe
PID 3252 wrote to memory of 560 N/A N/A C:\Users\Admin\AppData\Local\Temp\85D8.exe
PID 3252 wrote to memory of 560 N/A N/A C:\Users\Admin\AppData\Local\Temp\85D8.exe
PID 3252 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\Temp\9AB8.exe
PID 3252 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\Temp\9AB8.exe
PID 3252 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\Temp\9AB8.exe
PID 3252 wrote to memory of 232 N/A N/A C:\Users\Admin\AppData\Local\Temp\A22C.exe
PID 3252 wrote to memory of 232 N/A N/A C:\Users\Admin\AppData\Local\Temp\A22C.exe
PID 3252 wrote to memory of 232 N/A N/A C:\Users\Admin\AppData\Local\Temp\A22C.exe
PID 4684 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\8103.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4684 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\8103.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3252 wrote to memory of 4192 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 4192 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 4192 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD69.exe
PID 3252 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD69.exe
PID 3252 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD69.exe
PID 1384 wrote to memory of 1808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3252 wrote to memory of 1416 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF1F.exe
PID 3252 wrote to memory of 1416 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF1F.exe
PID 3252 wrote to memory of 1416 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF1F.exe
PID 3252 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B1C0.exe
PID 3252 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B1C0.exe
PID 3252 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B1C0.exe
PID 4684 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\8103.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4684 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\8103.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 1780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 1780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3252 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6E2.exe
PID 3252 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6E2.exe
PID 3252 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6E2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe

"C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe"

C:\Users\Admin\AppData\Local\Temp\7E34.exe

C:\Users\Admin\AppData\Local\Temp\7E34.exe

C:\Users\Admin\AppData\Local\Temp\8103.exe

C:\Users\Admin\AppData\Local\Temp\8103.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8440.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8440.dll

C:\Users\Admin\AppData\Local\Temp\85D8.exe

C:\Users\Admin\AppData\Local\Temp\85D8.exe

C:\Users\Admin\AppData\Local\Temp\9AB8.exe

C:\Users\Admin\AppData\Local\Temp\9AB8.exe

C:\Users\Admin\AppData\Local\Temp\A22C.exe

C:\Users\Admin\AppData\Local\Temp\A22C.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=8103.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\AB16.exe

C:\Users\Admin\AppData\Local\Temp\AB16.exe

C:\Users\Admin\AppData\Local\Temp\AD69.exe

C:\Users\Admin\AppData\Local\Temp\AD69.exe

C:\Users\Admin\AppData\Local\Temp\AF1F.exe

C:\Users\Admin\AppData\Local\Temp\AF1F.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff926bb46f8,0x7ff926bb4708,0x7ff926bb4718

C:\Users\Admin\AppData\Local\Temp\B1C0.exe

C:\Users\Admin\AppData\Local\Temp\B1C0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=8103.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\B6E2.exe

C:\Users\Admin\AppData\Local\Temp\B6E2.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff926bb46f8,0x7ff926bb4708,0x7ff926bb4718

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

"C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,8168224218022805914,3353150635079252148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,8168224218022805914,3353150635079252148,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\7E34.exe

C:\Users\Admin\AppData\Local\Temp\7E34.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8939849994934452310,12110958626615999498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7E34.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\9AB8.exe

C:\Users\Admin\AppData\Local\Temp\9AB8.exe

C:\Users\Admin\AppData\Local\Temp\AF1F.exe

C:\Users\Admin\AppData\Local\Temp\AF1F.exe

C:\Users\Admin\AppData\Local\Temp\AD69.exe

C:\Users\Admin\AppData\Local\Temp\AD69.exe

C:\Users\Admin\AppData\Local\Temp\B1C0.exe

C:\Users\Admin\AppData\Local\Temp\B1C0.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\806d6d32-b222-4623-ad42-6930c1b01b6b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\B1C0.exe

"C:\Users\Admin\AppData\Local\Temp\B1C0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AF1F.exe

"C:\Users\Admin\AppData\Local\Temp\AF1F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AD69.exe

"C:\Users\Admin\AppData\Local\Temp\AD69.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
MX 187.134.52.64:80 colisumy.com tcp
US 8.8.8.8:53 64.52.134.187.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
NL 194.169.175.233:3003 194.169.175.233 tcp
US 8.8.8.8:53 233.175.169.194.in-addr.arpa udp
MX 187.134.52.64:80 colisumy.com tcp
US 8.8.8.8:53 admaiscont.com.br udp
US 142.4.24.122:443 admaiscont.com.br tcp
US 8.8.8.8:53 122.24.4.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
NL 194.169.175.233:3003 194.169.175.233 tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
US 8.8.8.8:53 224.104.207.23.in-addr.arpa udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
IE 63.34.168.218:443 mscom.demdex.net tcp
US 8.8.8.8:53 218.168.34.63.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.42.65.89:443 browser.events.data.microsoft.com tcp
US 20.42.65.89:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
DE 159.69.198.239:27015 159.69.198.239 tcp
US 8.8.8.8:53 239.198.69.159.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
NL 149.154.167.99:443 t.me tcp
DE 159.69.198.239:27015 159.69.198.239 tcp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp

Files

memory/3936-134-0x0000000002550000-0x0000000002650000-memory.dmp

memory/3936-135-0x0000000002490000-0x0000000002499000-memory.dmp

memory/3936-136-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/3252-137-0x0000000003240000-0x0000000003256000-memory.dmp

memory/3936-138-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/3936-141-0x0000000002490000-0x0000000002499000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E34.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\7E34.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\8103.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

C:\Users\Admin\AppData\Local\Temp\8103.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

C:\Users\Admin\AppData\Local\Temp\8440.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

memory/4684-156-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4684-157-0x00000000006A0000-0x00000000006D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85D8.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

C:\Users\Admin\AppData\Local\Temp\85D8.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

memory/552-167-0x00000000022A0000-0x0000000002514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8440.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

C:\Users\Admin\AppData\Local\Temp\8440.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

memory/552-169-0x0000000000550000-0x0000000000556000-memory.dmp

memory/552-168-0x00000000022A0000-0x0000000002514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9AB8.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\9AB8.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\A22C.exe

MD5 dd637ef7098a49cb61800e9efd85b1fc
SHA1 c290bc05fc441f1162bbc1030cde87b3dc38b9c9
SHA256 9014fe8d07e8429116fc6c8d0d55bc46773e0cd5d89271640b982eac91db19d9
SHA512 65969c48f98104ae5d15299665ef97da119b3451ea1fc89693b564273a610e419ff002036346a8aca4600d4f3f8eae564e110968209b0654b05d4435b30c9064

C:\Users\Admin\AppData\Local\Temp\A22C.exe

MD5 dd637ef7098a49cb61800e9efd85b1fc
SHA1 c290bc05fc441f1162bbc1030cde87b3dc38b9c9
SHA256 9014fe8d07e8429116fc6c8d0d55bc46773e0cd5d89271640b982eac91db19d9
SHA512 65969c48f98104ae5d15299665ef97da119b3451ea1fc89693b564273a610e419ff002036346a8aca4600d4f3f8eae564e110968209b0654b05d4435b30c9064

C:\Users\Admin\AppData\Local\Temp\AB16.exe

MD5 00f2d53d4e13ead70fb44c3a7c251675
SHA1 5933e3de281fb95625099ef9a788b3cddf48c96a
SHA256 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7
SHA512 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a

C:\Users\Admin\AppData\Local\Temp\AB16.exe

MD5 00f2d53d4e13ead70fb44c3a7c251675
SHA1 5933e3de281fb95625099ef9a788b3cddf48c96a
SHA256 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7
SHA512 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a

C:\Users\Admin\AppData\Local\Temp\AD69.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/4192-189-0x0000000072450000-0x0000000072C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AF1F.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\AF1F.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/4192-192-0x00000000003C0000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B1C0.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\B1C0.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\B1C0.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\AD69.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\B6E2.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

C:\Users\Admin\AppData\Local\Temp\B6E2.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b494b828656f84306f5157ad41c7337c
SHA1 6181aaa19942587ae4b18d6613a923917d8b22de
SHA256 2e1a97beb64ef5d84e0c3b9ef1923edc90cfe8754c5dfc47c73919f1de53fa13
SHA512 fcb30d1d9f2a20acb613ea9316859db9cb0f2ef2c153096947886368303ca026833e88e2b3012ea2f0be93cee6a92db532c4d0a67d8742d6ba205b9f44685db7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

memory/2576-226-0x00007FF6103C0000-0x00007FF61042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4192-236-0x0000000072450000-0x0000000072C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

\??\pipe\LOCAL\crashpad_4868_BNRISUMYDTGDHOJH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_1384_ARNVLSYYTOPCBYMD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8411007bafe7b1182af1ad3a1809b4f8
SHA1 4a78ee0762aadd53accae8bb211b8b18dc602070
SHA256 1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3
SHA512 909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a4d9694594a1a4f18335af9ace808666
SHA1 98550d3fdf418d88c42a7f1aa176fbb0a66f9bdd
SHA256 b2ceebd4b96b68a5bb0d774a9c3012b929dca38b395071cc60d6f8d9250b40da
SHA512 4afbfe64de6710aa495431f6d5f01d7a59f791e5830edce0a83676cce576074d715e9eff3e1d2df5df46efa5b66d5f04801794bd8fd6525139d632ff00ba686f

memory/2576-265-0x0000000002750000-0x00000000028C1000-memory.dmp

memory/2576-271-0x00000000028D0000-0x0000000002A01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bc4d8d11c083d45469e5618b465463e8
SHA1 aed18f186d8fc4dd734e4b804e8d72eb50b8e8fe
SHA256 6813a97e8c115be219cfbeeb49ac5e33a32a76e85027c16aba1803ea5cd38a80
SHA512 7d24f994dc79a61ffcaff47f589a00e3508d734cc9cd257b48e52509e10cdfcfbe5ef9f126be8a99b8ed500987dbb5add522a227d3d3e47d856891a6734998ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a4d9694594a1a4f18335af9ace808666
SHA1 98550d3fdf418d88c42a7f1aa176fbb0a66f9bdd
SHA256 b2ceebd4b96b68a5bb0d774a9c3012b929dca38b395071cc60d6f8d9250b40da
SHA512 4afbfe64de6710aa495431f6d5f01d7a59f791e5830edce0a83676cce576074d715e9eff3e1d2df5df46efa5b66d5f04801794bd8fd6525139d632ff00ba686f

memory/552-289-0x0000000002750000-0x0000000002845000-memory.dmp

memory/552-295-0x0000000002850000-0x000000000292E000-memory.dmp

memory/552-298-0x0000000002850000-0x000000000292E000-memory.dmp

memory/552-299-0x0000000002850000-0x000000000292E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9f6187896bc318443ef5f691c2822d4a
SHA1 6e113053ad79b698327e6c80ae73148879fe0233
SHA256 bdf6ac65f835046866063ab34e26af924a51533d13eef9be32b8f3f529d097d0
SHA512 f5bd242e0e2d3faf5ad85340634f3330a3f43477a590913a737c9402e6e7e430fc7b2aaced38377b7b04d4417ea23d57b5242bacd94212385261c7bef37200ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a4d9694594a1a4f18335af9ace808666
SHA1 98550d3fdf418d88c42a7f1aa176fbb0a66f9bdd
SHA256 b2ceebd4b96b68a5bb0d774a9c3012b929dca38b395071cc60d6f8d9250b40da
SHA512 4afbfe64de6710aa495431f6d5f01d7a59f791e5830edce0a83676cce576074d715e9eff3e1d2df5df46efa5b66d5f04801794bd8fd6525139d632ff00ba686f

memory/3108-311-0x0000000001A80000-0x0000000001AF8000-memory.dmp

memory/3108-310-0x0000000003420000-0x0000000003461000-memory.dmp

memory/1044-312-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E34.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/1044-315-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1044-316-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1044-317-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2576-313-0x00000000028D0000-0x0000000002A01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 22f575bcc39995aeabc641d111cf8a04
SHA1 3dd97e877de78af2ce5825e34f8e96ff25d345e5
SHA256 c0fed1e822eff43eb00aff8414e409965edc567f15c7efd650fda61ddd6196a5
SHA512 529c61aef200bf04470d20b1a2484ca5dfb57bb97d822c2bc37d4b50966d372eaf38d60470cac7835ece08354717b386b5400a91a320ace3b5e6ff2bc8679e1a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc
SHA1 83f8586805286b716c70ddd14a2b7ec6a4d9d0fe
SHA256 0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c
SHA512 084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/1044-393-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1044-409-0x0000000000400000-0x000000000048C000-memory.dmp

memory/560-416-0x00000000033F0000-0x0000000003419000-memory.dmp

memory/560-419-0x00000000001C0000-0x00000000001FF000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/560-426-0x0000000072D50000-0x0000000073500000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/560-434-0x0000000006040000-0x00000000065E4000-memory.dmp

memory/560-431-0x0000000000400000-0x00000000018D6000-memory.dmp

memory/560-435-0x0000000006030000-0x0000000006040000-memory.dmp

memory/560-436-0x0000000006030000-0x0000000006040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 830c0f77517aa53e382f0f36ed3e6217
SHA1 595f516a55c0cd54f57a34690c2b5e36ce5ac727
SHA256 1e9f5036dab78dcbc39495541e107fc1980c3dcd71ff44114f07f3d1eb058dbd
SHA512 b287689c306a0ac90ac06977314c8e8dd4c04a9b8b3353daaeeba62d90a695b33d99a68b0a3ba2a64657a86573f6cff97502c19c1c7fa03a52324dd7841854b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 830c0f77517aa53e382f0f36ed3e6217
SHA1 595f516a55c0cd54f57a34690c2b5e36ce5ac727
SHA256 1e9f5036dab78dcbc39495541e107fc1980c3dcd71ff44114f07f3d1eb058dbd
SHA512 b287689c306a0ac90ac06977314c8e8dd4c04a9b8b3353daaeeba62d90a695b33d99a68b0a3ba2a64657a86573f6cff97502c19c1c7fa03a52324dd7841854b2

memory/560-454-0x00000000066F0000-0x0000000006D08000-memory.dmp

memory/560-460-0x0000000006D10000-0x0000000006E1A000-memory.dmp

memory/560-462-0x0000000006030000-0x0000000006040000-memory.dmp

memory/560-461-0x0000000006000000-0x0000000006012000-memory.dmp

memory/560-463-0x0000000006E20000-0x0000000006E5C000-memory.dmp

memory/1044-464-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1044-465-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1044-466-0x0000000000400000-0x000000000048C000-memory.dmp

memory/560-468-0x00000000033F0000-0x0000000003419000-memory.dmp

memory/560-471-0x00000000001C0000-0x00000000001FF000-memory.dmp

memory/560-472-0x0000000072D50000-0x0000000073500000-memory.dmp

memory/560-473-0x0000000006030000-0x0000000006040000-memory.dmp

memory/560-474-0x0000000006030000-0x0000000006040000-memory.dmp

memory/1988-477-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9AB8.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/1988-478-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1988-479-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

MD5 1cc039e3278abbf0e77cb25bc6d7f6ab
SHA1 dd876527942dfdd47f8950f399d67d50553fcd22
SHA256 61c32291587d3b4ac047f685a6dda602c15088e2267d57ca66cd165de0d89b04
SHA512 b02b7e1211fc3ae36a92eaef3b2eae1c166b18523a251657750c06842161f5843a6f1806cf39848af1346b558a81254982ae6ec05eb99741888465d442f7d8e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

MD5 7eb9f87c2c64e57b92d830e4a966ba91
SHA1 8e34a9754d0439acc555f445459f30c6ecf09b56
SHA256 55e22360d7bd73be9309635363956539fa23a2c14f8824d36abc6bad1305f4bb
SHA512 760a6df7c6e72b706ee042abfa63f3b6f8ffe957bda742299db029f77f6c3cfe63df28c59adb1f33fdedcb89ac199d72d4273a61e2c999d03267e5101fd852c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 4c1030e818c5cf3b2df578b27f80288d
SHA1 ea9d454f7a6408d1821e2a5ddaabc99f10dfc78a
SHA256 b63248329c55a2b6409f504f5b0536dc5239580048f9398f09ac3cb4d06f1e2a
SHA512 d8b46bd116360cc20e2148d542da44fab0b18972637dfbfdaf1328c24ca1a497bbf6ca32c0c3b25fb1c9d264b740ea20696f290875428c7393c1b6cf86614804

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 c0fc8ac8f0fe97bca888033e7943acd4
SHA1 50658938643ffbe1ebd9c67d40a23d2367b92b4d
SHA256 6cf06f11c5da14ae122162f9181b24a516a37feea8d35ce25f0b321c50675a3a
SHA512 e772f58f3112ebc8d598a686a1afdf44936acab996cb883d12565e7546647add07917e9de67e9a150009238d05aeee445b2e360390fb811025f74f6cc01b2d17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 1d55bb858a659cd3d1e4fa3f78669d20
SHA1 1415c302a01b32b0d6048c910309dd60bbee8301
SHA256 5d2883b6e61dd45c68bb728ac5e7c193804b9b97936deb3cb80c5f0d93ab1eb1
SHA512 58703428cbc16e1edbc11c0344e44ddf906b891238a23f19712eae54379b2d5a874f09f280a6c95da5126f5d8292ab9d441dcaeb2e675bb7ffa5f2e8a5e7da52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 53860b50c3f10ff4f696ef90877a813b
SHA1 34e0f49d107c4c9b5dc204f8348e755f4a9d179f
SHA256 a820e449675d66621c8a0cedca8c9788866d3d523329dc0b6b5f20f7b21d9f19
SHA512 1b5cf4a01b7391c49f59929d73a7fdbb060adec19349a928acfa43f9f9f78de5d275542d18d95b6ef29d9b12dc51bb0b9005aa26e4ac2ca999da896a45715f8a

memory/560-490-0x0000000006030000-0x0000000006040000-memory.dmp

memory/232-495-0x0000000001AF0000-0x0000000001B05000-memory.dmp

memory/232-497-0x0000000001B50000-0x0000000001B59000-memory.dmp

memory/232-501-0x0000000000400000-0x00000000018C2000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\16178366162499916527640653

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/1416-532-0x0000000003470000-0x0000000003501000-memory.dmp

memory/1416-535-0x0000000003710000-0x000000000382B000-memory.dmp

memory/560-534-0x0000000007110000-0x0000000007186000-memory.dmp

memory/560-537-0x0000000007190000-0x0000000007222000-memory.dmp

memory/2556-539-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-540-0x0000000007230000-0x0000000007296000-memory.dmp

memory/1988-542-0x0000000000400000-0x000000000048C000-memory.dmp

C:\ProgramData\81332755475480751127022895

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

memory/1900-556-0x0000000000400000-0x00000000018D6000-memory.dmp

memory/232-558-0x0000000000400000-0x00000000018C2000-memory.dmp

memory/1900-560-0x0000000072D50000-0x0000000073500000-memory.dmp

memory/1900-561-0x0000000005FA0000-0x0000000005FB0000-memory.dmp

memory/1900-566-0x0000000005FA0000-0x0000000005FB0000-memory.dmp

memory/1900-565-0x0000000005FA0000-0x0000000005FB0000-memory.dmp

memory/1780-567-0x0000000000400000-0x0000000000537000-memory.dmp

memory/860-568-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-581-0x0000000007CF0000-0x0000000007EB2000-memory.dmp

memory/560-582-0x0000000007EC0000-0x00000000083EC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-13 10:51

Reported

2023-08-13 10:54

Platform

win7-20230712-en

Max time kernel

48s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3016 set thread context of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 600 set thread context of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E2B2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 1224 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 1224 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 1224 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 1224 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2B2.exe
PID 1224 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2B2.exe
PID 1224 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2B2.exe
PID 1224 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2B2.exe
PID 1224 wrote to memory of 2820 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2820 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2820 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2820 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2820 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2820 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2820 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2820 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2820 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2820 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2820 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2820 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1224 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1A2.exe
PID 1224 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1A2.exe
PID 1224 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1A2.exe
PID 1224 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1A2.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 3016 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\E0CE.exe C:\Users\Admin\AppData\Local\Temp\E0CE.exe
PID 1224 wrote to memory of 600 N/A N/A C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 1224 wrote to memory of 600 N/A N/A C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 1224 wrote to memory of 600 N/A N/A C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 1224 wrote to memory of 600 N/A N/A C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 1224 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe
PID 1224 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe
PID 1224 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe
PID 1224 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 600 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\E18.exe C:\Users\Admin\AppData\Local\Temp\E18.exe
PID 1900 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1900 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1900 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1900 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1900 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 1900 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 1900 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 1900 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\22B2.exe C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
PID 1224 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C92.exe
PID 1224 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C92.exe
PID 1224 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C92.exe
PID 1224 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C92.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe

"C:\Users\Admin\AppData\Local\Temp\dcfdb1754a496415ec52bc74ad605e3d16ad4d8a0d1299ec35cff5e86dbdc179_JC.exe"

C:\Users\Admin\AppData\Local\Temp\E0CE.exe

C:\Users\Admin\AppData\Local\Temp\E0CE.exe

C:\Users\Admin\AppData\Local\Temp\E2B2.exe

C:\Users\Admin\AppData\Local\Temp\E2B2.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E7E1.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E7E1.dll

C:\Users\Admin\AppData\Local\Temp\F1A2.exe

C:\Users\Admin\AppData\Local\Temp\F1A2.exe

C:\Users\Admin\AppData\Local\Temp\E0CE.exe

C:\Users\Admin\AppData\Local\Temp\E0CE.exe

C:\Users\Admin\AppData\Local\Temp\E18.exe

C:\Users\Admin\AppData\Local\Temp\E18.exe

C:\Users\Admin\AppData\Local\Temp\22B2.exe

C:\Users\Admin\AppData\Local\Temp\22B2.exe

C:\Users\Admin\AppData\Local\Temp\E18.exe

C:\Users\Admin\AppData\Local\Temp\E18.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

"C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"

C:\Users\Admin\AppData\Local\Temp\2C92.exe

C:\Users\Admin\AppData\Local\Temp\2C92.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\37CA.exe

C:\Users\Admin\AppData\Local\Temp\37CA.exe

C:\Users\Admin\AppData\Local\Temp\4294.exe

C:\Users\Admin\AppData\Local\Temp\4294.exe

C:\Users\Admin\AppData\Local\Temp\57BA.exe

C:\Users\Admin\AppData\Local\Temp\57BA.exe

C:\Users\Admin\AppData\Local\Temp\2C92.exe

C:\Users\Admin\AppData\Local\Temp\2C92.exe

C:\Users\Admin\AppData\Local\Temp\37CA.exe

C:\Users\Admin\AppData\Local\Temp\37CA.exe

C:\Users\Admin\AppData\Local\Temp\4294.exe

C:\Users\Admin\AppData\Local\Temp\4294.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\22b23ec8-ba57-46ee-b5b9-1eef72c1fb84" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\4294.exe

"C:\Users\Admin\AppData\Local\Temp\4294.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2C92.exe

"C:\Users\Admin\AppData\Local\Temp\2C92.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\37CA.exe

"C:\Users\Admin\AppData\Local\Temp\37CA.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {D00959A5-DF84-4542-A855-60A7D49CE819} S-1-5-21-4219371764-2579186923-3390623117-1000:NVACMPYA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\4294.exe

"C:\Users\Admin\AppData\Local\Temp\4294.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2C92.exe

"C:\Users\Admin\AppData\Local\Temp\2C92.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\37CA.exe

"C:\Users\Admin\AppData\Local\Temp\37CA.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\535cd4f9-4a35-40da-8910-57b840307c18\build3.exe

"C:\Users\Admin\AppData\Local\535cd4f9-4a35-40da-8910-57b840307c18\build3.exe"

C:\Users\Admin\AppData\Local\535cd4f9-4a35-40da-8910-57b840307c18\build2.exe

"C:\Users\Admin\AppData\Local\535cd4f9-4a35-40da-8910-57b840307c18\build2.exe"

C:\Users\Admin\AppData\Local\e7bb9201-ad34-4014-95e1-b2ddd0633bde\build2.exe

"C:\Users\Admin\AppData\Local\e7bb9201-ad34-4014-95e1-b2ddd0633bde\build2.exe"

C:\Users\Admin\AppData\Local\e7bb9201-ad34-4014-95e1-b2ddd0633bde\build2.exe

"C:\Users\Admin\AppData\Local\e7bb9201-ad34-4014-95e1-b2ddd0633bde\build2.exe"

C:\Users\Admin\AppData\Local\146ea8bb-aab5-42fe-9b70-d845ebf43609\build2.exe

"C:\Users\Admin\AppData\Local\146ea8bb-aab5-42fe-9b70-d845ebf43609\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\146ea8bb-aab5-42fe-9b70-d845ebf43609\build2.exe

"C:\Users\Admin\AppData\Local\146ea8bb-aab5-42fe-9b70-d845ebf43609\build2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MX 187.134.52.64:80 colisumy.com tcp
MD 176.123.9.142:14845 tcp
NL 194.169.175.233:3003 194.169.175.233 tcp
MX 187.134.52.64:80 colisumy.com tcp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 admaiscont.com.br udp
US 142.4.24.122:443 admaiscont.com.br tcp
US 142.4.24.122:443 admaiscont.com.br tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
DE 37.27.11.1:80 37.27.11.1 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
NL 194.169.175.233:3003 194.169.175.233 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 37.27.11.1:80 37.27.11.1 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MX 187.134.52.64:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 211.53.230.67:80 zexeq.com tcp
MX 187.134.52.64:80 colisumy.com tcp
KR 211.53.230.67:80 zexeq.com tcp
MX 187.134.52.64:80 colisumy.com tcp
KR 211.53.230.67:80 zexeq.com tcp
KR 211.53.230.67:80 zexeq.com tcp
KR 211.53.230.67:80 zexeq.com tcp

Files

memory/2576-55-0x00000000023E0000-0x00000000024E0000-memory.dmp

memory/2576-56-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2576-57-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/1224-58-0x00000000029F0000-0x0000000002A06000-memory.dmp

memory/2576-59-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2576-62-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E0CE.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\E0CE.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

C:\Users\Admin\AppData\Local\Temp\E2B2.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

C:\Users\Admin\AppData\Local\Temp\E2B2.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

memory/2856-78-0x0000000000230000-0x0000000000260000-memory.dmp

memory/2856-79-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2B2.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

memory/2856-87-0x00000000003D0000-0x00000000003D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7E1.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

memory/2856-85-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2732-89-0x0000000001F90000-0x0000000002204000-memory.dmp

\Users\Admin\AppData\Local\Temp\E7E1.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

memory/2732-90-0x0000000001F90000-0x0000000002204000-memory.dmp

memory/2732-91-0x0000000000140000-0x0000000000146000-memory.dmp

memory/2856-93-0x0000000004690000-0x00000000046D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1A2.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

C:\Users\Admin\AppData\Local\Temp\F1A2.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

memory/3016-101-0x0000000003070000-0x00000000030E8000-memory.dmp

memory/3016-100-0x0000000001A80000-0x0000000001AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E0CE.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

\Users\Admin\AppData\Local\Temp\E0CE.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/2736-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E0CE.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/2736-106-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2736-109-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2856-110-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2736-111-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3048-112-0x00000000002E0000-0x000000000031F000-memory.dmp

memory/3048-113-0x0000000003290000-0x00000000032C8000-memory.dmp

memory/3048-114-0x0000000000400000-0x00000000018D6000-memory.dmp

memory/3048-115-0x0000000005D10000-0x0000000005D50000-memory.dmp

memory/3048-116-0x0000000005D10000-0x0000000005D50000-memory.dmp

memory/2856-117-0x0000000004690000-0x00000000046D0000-memory.dmp

memory/3048-118-0x0000000000220000-0x0000000000249000-memory.dmp

memory/3048-119-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/3048-120-0x00000000037B0000-0x00000000037E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E18.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/3048-128-0x00000000034D0000-0x00000000034D6000-memory.dmp

memory/3048-129-0x0000000005D10000-0x0000000005D50000-memory.dmp

memory/3048-130-0x0000000000400000-0x00000000018D6000-memory.dmp

memory/2736-139-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3048-149-0x0000000005D10000-0x0000000005D50000-memory.dmp

memory/3048-147-0x0000000005D10000-0x0000000005D50000-memory.dmp

memory/1900-146-0x0000000000210000-0x00000000002CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22B2.exe

MD5 00f2d53d4e13ead70fb44c3a7c251675
SHA1 5933e3de281fb95625099ef9a788b3cddf48c96a
SHA256 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7
SHA512 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a

C:\Users\Admin\AppData\Local\Temp\22B2.exe

MD5 00f2d53d4e13ead70fb44c3a7c251675
SHA1 5933e3de281fb95625099ef9a788b3cddf48c96a
SHA256 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7
SHA512 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a

C:\Users\Admin\AppData\Local\Temp\E18.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

\Users\Admin\AppData\Local\Temp\E18.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/1900-154-0x0000000074B70000-0x000000007525E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E18.exe

MD5 360b64a7fa47c27453a19c9aec6929aa
SHA1 5d9f36ef5344b9ce8fc18d1e413cdce6ebd95a88
SHA256 e0463b5d50bc14313cc77cd321893788e68b2741c7db81a391837f797c5704a1
SHA512 4b1ce827e486bc6da71ee447ede7c38e2a3f179ff9ebab25293ba833e09bebe2cada7b806899df1de04eed3139b83b5d8313ef8c90112b1629e31fba6eff439a

memory/1796-158-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3048-159-0x0000000074B70000-0x000000007525E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab29C1.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

memory/1544-179-0x00000000FFE70000-0x00000000FFEDA000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2C92.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/1900-193-0x0000000074B70000-0x000000007525E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\latestplayer.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2C92.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/3048-177-0x0000000005D10000-0x0000000005D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 9c41471456337de6ded08b8c1ea8902d
SHA1 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba
SHA256 d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b
SHA512 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc

C:\Users\Admin\AppData\Local\Temp\Tar2F5F.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3048-209-0x0000000005D10000-0x0000000005D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37CA.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2732-228-0x0000000002570000-0x0000000002665000-memory.dmp

memory/1544-231-0x0000000002D60000-0x0000000002ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4294.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/1544-236-0x0000000002EE0000-0x0000000003011000-memory.dmp

memory/2732-253-0x00000000009A0000-0x0000000000A7E000-memory.dmp

memory/1796-256-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2732-257-0x00000000009A0000-0x0000000000A7E000-memory.dmp

memory/2736-258-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2736-264-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2732-275-0x00000000009A0000-0x0000000000A7E000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\57BA.exe

MD5 95b5d704628cc3f5f08243004b573934
SHA1 05893e3fcf028894e3519dd402279554ebec5189
SHA256 e05618242af3612fcdbf617c7764a105fc9b44f849fb2e411593c746ae996482
SHA512 f252934fc25b94d50e0e39ed15740b12d6ecbeffe906d305621e0b583f0bb7f08fde6266d23d31db85ba05ba325e66e7e8b05ec3e462518ab714a4ee7b29b9a0

memory/2528-299-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C92.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\2C92.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2528-300-0x0000000003170000-0x000000000328B000-memory.dmp

memory/1340-305-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C92.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/1340-308-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1340-309-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1544-315-0x0000000002EE0000-0x0000000003011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37CA.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\37CA.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\37CA.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/1476-325-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcee4fa957140bb38c7eabc2c0967837
SHA1 d9951538ca5ce3f24e9a7f1037d506b42e9e3bae
SHA256 04b8b00a9ff77a6968efa064ce59916e1a6b4c5504e8c401408a0cd7e3d286f8
SHA512 dfc8d48fd874cdf2a74234c3d9e086e0a94e90f3a4684e31d0392dbf427a9bd5e1409828b805b497c059ef5b86f5ebe5606ac37175cf994d6f3f68b9d563d2e1

memory/2736-334-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3781cc7692f87928efa5a279c79e76b6
SHA1 674f3e336a058356954df0c452fd481a324f6dae
SHA256 0d89db11ff5bbda398913e82afbec45d0b7ff242f48a3207f91cc98f54625264
SHA512 5e505629d890c3b15937a9726f91dc51fb4c078c98001072903d785f84276ee56c0a2523c77b27f41c0185184bc98d3fa173b4678ea549aeca13128712fb3d0b

memory/2736-357-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4294.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\4294.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\4294.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2012-366-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a4055998d457ff53f084b4bc3d5733be
SHA1 16e91e70c0add28bd37ad9fc62f64efb2fe68328
SHA256 a383dd5b3f94d339e34ee947429790f91139195ffc2d412f8f1e8d928c568e02
SHA512 f5efd9224dd410cd6d7c7e368fde30d69a22f70c3325ce0118cb5a8d63cf1be8d6987a0b1fb401590e53922e9cc5e36d72bf4f5d0579825bfd3f5ca142eb3e2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 91d59ea2f3257a955e2255f336da59bb
SHA1 f138077c1e604bb60062004fa2a4fb0ebbc6be34
SHA256 d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a
SHA512 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a8cfb50a0e434d61c5950c39939c75ab
SHA1 bed51ce8cf805476ca8763e14a8fb83224734587
SHA256 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67
SHA512 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 f635a778dd5e64732b8ed00f9fd2c6c7
SHA1 396a11b422b7955f6bf94dccf33256445ab8256f
SHA256 b8772ea73ded0db40a47ba517ca248c9b0a09412837d30def7f2a5f752e2bcdc
SHA512 e40de23e0e28d8ec2700a89202ae6276c229ff9575175f77547aa17294253eeafddf775f1cf17d73424834a75f5509311e8394de586704ad8d95ddda954f6a51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30f5a994f5419bc52f88d50ea7f3d901
SHA1 a1b908fdd8e3976faf54cebf28d1aace9d38f7f2
SHA256 1b5ee2c918e243f713f0c3a13e675a6edda3532f56390d8f509a82e305b801c5
SHA512 bf5c6dc8e7999d5e9c8e02f9924b90ca403852ebea30a0249d109903b59dde9087324118e37d4f958309ea5b4c48cf6a1dda233f43362bd4b4f16bb2c8085d3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a8cfb50a0e434d61c5950c39939c75ab
SHA1 bed51ce8cf805476ca8763e14a8fb83224734587
SHA256 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67
SHA512 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 f635a778dd5e64732b8ed00f9fd2c6c7
SHA1 396a11b422b7955f6bf94dccf33256445ab8256f
SHA256 b8772ea73ded0db40a47ba517ca248c9b0a09412837d30def7f2a5f752e2bcdc
SHA512 e40de23e0e28d8ec2700a89202ae6276c229ff9575175f77547aa17294253eeafddf775f1cf17d73424834a75f5509311e8394de586704ad8d95ddda954f6a51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 5fb87353f8359a12db2f11749964b40e
SHA1 d06275da9bf83611e51cd4e1fbe50189f2cb0dfb
SHA256 0ee94ff300bcdc83a958ea7f851d269dc8130591986222ac3c3815fbc3f47b95
SHA512 5ae84edd84f90d7a5c3348fea8e715a2bb9c29dbd326e191a01bd8f1730c93c88f748cb85b87051ab0a4d2260f4844f39de7f1fe83e0716a7f10ec38b7c90c0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30f5a994f5419bc52f88d50ea7f3d901
SHA1 a1b908fdd8e3976faf54cebf28d1aace9d38f7f2
SHA256 1b5ee2c918e243f713f0c3a13e675a6edda3532f56390d8f509a82e305b801c5
SHA512 bf5c6dc8e7999d5e9c8e02f9924b90ca403852ebea30a0249d109903b59dde9087324118e37d4f958309ea5b4c48cf6a1dda233f43362bd4b4f16bb2c8085d3b

C:\Users\Admin\AppData\Local\22b23ec8-ba57-46ee-b5b9-1eef72c1fb84\37CA.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\4294.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\4294.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\4294.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2012-430-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2856-433-0x0000000074B70000-0x000000007525E000-memory.dmp

\Users\Admin\AppData\Local\Temp\2C92.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\2C92.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

C:\Users\Admin\AppData\Local\Temp\2C92.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\37CA.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

\Users\Admin\AppData\Local\Temp\37CA.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/1340-442-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2704-446-0x0000000005D20000-0x0000000005D60000-memory.dmp

memory/2704-445-0x0000000005D20000-0x0000000005D60000-memory.dmp

memory/2704-448-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/1476-450-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37CA.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2704-452-0x0000000000400000-0x00000000018D6000-memory.dmp

memory/2704-453-0x0000000005D20000-0x0000000005D60000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 7232f3f2af5936a2db03d9a84500b282
SHA1 8714a3f731635d55bac492c6579e4eb100447cb6
SHA256 1170894f5d04da749fb831c0f1561c8901e52ba20c1482a68ae8378d3f2be78d
SHA512 723a765f4a18777493bf1a976cff7a34b494cedc37e9764bb8de7c6a41008396702b0ecec91b16de1a3f2cc1e67721d4598436da6e2c964c728a3c83614973ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 322e553a5e61464f884af876bfe81c54
SHA1 a26698b81ac1a6b1300f98fbefb052b487def79d
SHA256 f4cc457322e4e37b2f3a927ed22cb83c9ebc32727e77232b9f19e69e05a9aa58
SHA512 5efc75d923e1f0d16835337f0afd87be79f0871fc47e5df9cd93b1eda8b711b7d2b8a1a7d69d6e25190439ba57ab6baf1ccf83af5ac03a0184f14062e856b000

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78800ea1ccc869f22f9f4778ac081835
SHA1 e42b86a13decbd00916318eaeebe9094212e01e3
SHA256 9ff6c8b6bcfb534385bcf8e1d1aa99e67cab4fe4dcb9d8c803680904bee6e420
SHA512 24a72fa16e4bf0aa5b712aee5313764a388a397bd9bc2f5db8151bb63b1de12140387850e4114f28f31603aef78984698358d39325c6fe5f518eb7e8a15d9a15

memory/2704-469-0x0000000005D20000-0x0000000005D60000-memory.dmp

memory/2704-470-0x0000000005D20000-0x0000000005D60000-memory.dmp

memory/2704-472-0x0000000005D20000-0x0000000005D60000-memory.dmp

\Users\Admin\AppData\Local\Temp\4294.exe

MD5 62331a18f8f46e012b0798c8a453be60
SHA1 af5cdd07437449b329848804e43ac4752c2ce127
SHA256 7f1300f341eb3d29b55ee6ca957d260baf7106e56c0674b12de6ff99e1ce07f1
SHA512 754d5db14f2a592f4590a7c2b8eb1a8b824b96b49771920afddadf141437e652a6c088a9d75938f465fa571ef94e15e4a4353b05f9d05601b7587664210e8605

memory/2704-474-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2976-483-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2552-484-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2704-487-0x0000000005D20000-0x0000000005D60000-memory.dmp

memory/2000-494-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3048-504-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/3048-508-0x0000000000400000-0x00000000018D6000-memory.dmp

C:\Users\Admin\AppData\Local\535cd4f9-4a35-40da-8910-57b840307c18\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\535cd4f9-4a35-40da-8910-57b840307c18\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a