Malware Analysis Report

2025-01-18 07:12

Sample ID 230813-vr5gzafe41
Target b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466
SHA256 b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466
Tags
djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466

Threat Level: Known bad

The file b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466 was found to be: Known bad.

Malicious Activity Summary

djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan

Detected Djvu ransomware

RedLine

Djvu Ransomware

SmokeLoader

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Modifies file permissions

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-13 17:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-13 17:14

Reported

2023-08-13 17:17

Platform

win10-20230703-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5f5e559e-51e4-40f5-a979-c720bd65ddd4\\20A2.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\20A2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 824 set thread context of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 set thread context of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22A7.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\28F2.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 824 N/A N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 3244 wrote to memory of 824 N/A N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 3244 wrote to memory of 824 N/A N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 3244 wrote to memory of 224 N/A N/A C:\Users\Admin\AppData\Local\Temp\22A7.exe
PID 3244 wrote to memory of 224 N/A N/A C:\Users\Admin\AppData\Local\Temp\22A7.exe
PID 3244 wrote to memory of 224 N/A N/A C:\Users\Admin\AppData\Local\Temp\22A7.exe
PID 3244 wrote to memory of 700 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3244 wrote to memory of 700 N/A N/A C:\Windows\system32\regsvr32.exe
PID 700 wrote to memory of 4604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 700 wrote to memory of 4604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 700 wrote to memory of 4604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3244 wrote to memory of 1312 N/A N/A C:\Users\Admin\AppData\Local\Temp\28F2.exe
PID 3244 wrote to memory of 1312 N/A N/A C:\Users\Admin\AppData\Local\Temp\28F2.exe
PID 3244 wrote to memory of 1312 N/A N/A C:\Users\Admin\AppData\Local\Temp\28F2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 824 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4816 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Windows\SysWOW64\icacls.exe
PID 4816 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Windows\SysWOW64\icacls.exe
PID 4816 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Windows\SysWOW64\icacls.exe
PID 4816 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4816 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4816 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 4088 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\Temp\20A2.exe
PID 5012 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe
PID 5012 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe
PID 5012 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\20A2.exe C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe
PID 4920 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4920 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 4920 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe

"C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe"

C:\Users\Admin\AppData\Local\Temp\20A2.exe

C:\Users\Admin\AppData\Local\Temp\20A2.exe

C:\Users\Admin\AppData\Local\Temp\22A7.exe

C:\Users\Admin\AppData\Local\Temp\22A7.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\25E4.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\25E4.dll

C:\Users\Admin\AppData\Local\Temp\28F2.exe

C:\Users\Admin\AppData\Local\Temp\28F2.exe

C:\Users\Admin\AppData\Local\Temp\20A2.exe

C:\Users\Admin\AppData\Local\Temp\20A2.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\5f5e559e-51e4-40f5-a979-c720bd65ddd4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\20A2.exe

"C:\Users\Admin\AppData\Local\Temp\20A2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\20A2.exe

"C:\Users\Admin\AppData\Local\Temp\20A2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe

"C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MK 95.86.21.52:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 52.21.86.95.in-addr.arpa udp
NL 194.169.175.233:3003 194.169.175.233 tcp
US 8.8.8.8:53 233.175.169.194.in-addr.arpa udp
MK 95.86.21.52:80 colisumy.com tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 zexeq.com udp
MK 95.86.21.52:80 colisumy.com tcp
MX 187.211.35.122:80 zexeq.com tcp
US 8.8.8.8:53 122.35.211.187.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
MX 187.211.35.122:80 zexeq.com tcp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp

Files

memory/4460-120-0x00000000019C0000-0x00000000019D5000-memory.dmp

memory/4460-121-0x0000000001B30000-0x0000000001B39000-memory.dmp

memory/4460-122-0x0000000000400000-0x00000000018C2000-memory.dmp

memory/3244-123-0x0000000000610000-0x0000000000626000-memory.dmp

memory/4460-124-0x0000000000400000-0x00000000018C2000-memory.dmp

memory/4460-127-0x00000000019C0000-0x00000000019D5000-memory.dmp

memory/4460-128-0x0000000001B30000-0x0000000001B39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20A2.exe

MD5 266896e7e2d506f89329bb619bab4308
SHA1 0784edc05448c5d9b539e4691ea1a9a9353c59d9
SHA256 c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65
SHA512 acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144

C:\Users\Admin\AppData\Local\Temp\20A2.exe

MD5 266896e7e2d506f89329bb619bab4308
SHA1 0784edc05448c5d9b539e4691ea1a9a9353c59d9
SHA256 c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65
SHA512 acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144

C:\Users\Admin\AppData\Local\Temp\22A7.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

C:\Users\Admin\AppData\Local\Temp\22A7.exe

MD5 7e00f4836c516917a5861eda86a3d75c
SHA1 e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3
SHA256 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94
SHA512 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad

memory/224-142-0x00000000006B0000-0x00000000006E0000-memory.dmp

memory/224-141-0x0000000000400000-0x0000000000440000-memory.dmp

memory/224-146-0x0000000073200000-0x00000000738EE000-memory.dmp

memory/224-148-0x0000000004A40000-0x0000000004A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25E4.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

memory/4604-152-0x0000000004500000-0x0000000004774000-memory.dmp

\Users\Admin\AppData\Local\Temp\25E4.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

\Users\Admin\AppData\Local\Temp\25E4.dll

MD5 26e1245dd1956f78db2f5df66797be05
SHA1 f348aa001f8e07d0827381f2fa25a70989290960
SHA256 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf
SHA512 cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee

memory/4604-154-0x0000000004500000-0x0000000004774000-memory.dmp

memory/4604-153-0x00000000009B0000-0x00000000009B6000-memory.dmp

memory/224-155-0x0000000004AC0000-0x00000000050C6000-memory.dmp

memory/224-161-0x00000000050D0000-0x00000000051DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\28F2.exe

MD5 76b6104b8a6a69cf736fb896affecdd3
SHA1 317bf0b92075c47c9d609b92de6bb9020f30e453
SHA256 003b8ae60ba3c352ccc319aeded1c85b145a27e75a84bdc5646feea7cdb606a9
SHA512 9915d45c39a8d5219430f6fa51a5837ff84f55fde4050cc9932a1cdc26bf4b1590f06229504dca82ebda4568987a2186e9703baa7edbdf153c84c70e8491c210

C:\Users\Admin\AppData\Local\Temp\28F2.exe

MD5 76b6104b8a6a69cf736fb896affecdd3
SHA1 317bf0b92075c47c9d609b92de6bb9020f30e453
SHA256 003b8ae60ba3c352ccc319aeded1c85b145a27e75a84bdc5646feea7cdb606a9
SHA512 9915d45c39a8d5219430f6fa51a5837ff84f55fde4050cc9932a1cdc26bf4b1590f06229504dca82ebda4568987a2186e9703baa7edbdf153c84c70e8491c210

memory/224-163-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/224-162-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/224-164-0x00000000051E0000-0x000000000521E000-memory.dmp

memory/224-165-0x0000000005270000-0x00000000052BB000-memory.dmp

memory/824-167-0x0000000003630000-0x000000000374B000-memory.dmp

memory/824-166-0x0000000001BC0000-0x0000000001C52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20A2.exe

MD5 266896e7e2d506f89329bb619bab4308
SHA1 0784edc05448c5d9b539e4691ea1a9a9353c59d9
SHA256 c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65
SHA512 acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144

memory/4816-170-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4816-168-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4816-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/224-172-0x0000000073200000-0x00000000738EE000-memory.dmp

memory/4816-173-0x0000000000400000-0x0000000000537000-memory.dmp

memory/224-174-0x00000000053B0000-0x0000000005426000-memory.dmp

memory/224-175-0x0000000005430000-0x00000000054C2000-memory.dmp

memory/224-176-0x00000000054D0000-0x0000000005536000-memory.dmp

memory/224-177-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/1312-179-0x0000000003550000-0x000000000358F000-memory.dmp

memory/1312-178-0x0000000001900000-0x0000000001929000-memory.dmp

memory/1312-180-0x00000000038B0000-0x00000000038E8000-memory.dmp

memory/1312-183-0x0000000005F70000-0x000000000646E000-memory.dmp

memory/1312-184-0x0000000000400000-0x00000000018D6000-memory.dmp

memory/1312-186-0x0000000003A70000-0x0000000003AA4000-memory.dmp

memory/1312-185-0x0000000003900000-0x0000000003910000-memory.dmp

memory/1312-187-0x0000000073200000-0x00000000738EE000-memory.dmp

memory/1312-189-0x0000000003900000-0x0000000003910000-memory.dmp

memory/1312-190-0x0000000003850000-0x0000000003856000-memory.dmp

memory/1312-188-0x0000000003900000-0x0000000003910000-memory.dmp

memory/1312-191-0x0000000003900000-0x0000000003910000-memory.dmp

C:\Users\Admin\AppData\Local\5f5e559e-51e4-40f5-a979-c720bd65ddd4\20A2.exe

MD5 266896e7e2d506f89329bb619bab4308
SHA1 0784edc05448c5d9b539e4691ea1a9a9353c59d9
SHA256 c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65
SHA512 acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144

C:\Users\Admin\AppData\Local\Temp\20A2.exe

MD5 266896e7e2d506f89329bb619bab4308
SHA1 0784edc05448c5d9b539e4691ea1a9a9353c59d9
SHA256 c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65
SHA512 acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144

memory/4816-203-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1312-205-0x0000000003900000-0x0000000003910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20A2.exe

MD5 266896e7e2d506f89329bb619bab4308
SHA1 0784edc05448c5d9b539e4691ea1a9a9353c59d9
SHA256 c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65
SHA512 acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144

memory/5012-208-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5012-209-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1312-211-0x0000000003900000-0x0000000003910000-memory.dmp

memory/1312-210-0x0000000073200000-0x00000000738EE000-memory.dmp

memory/224-212-0x00000000062C0000-0x0000000006310000-memory.dmp

memory/1312-213-0x0000000003900000-0x0000000003910000-memory.dmp

memory/5012-214-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 38fe20464f4566665a3e93bc25958d45
SHA1 f1da804263c20548ab1520bb7f728cba31aa1af9
SHA256 aa075f76b582d3c8d6aecc2a2b643a6434a818e44b20933625a2c30d21d78d7a
SHA512 c1ed7d73f7864e274259580c432f6efcd5b08251fa7e131d731b8421cfcb440d6436a57bac81fa74db9f12eb3aef8853bdf5454773dc33d89354ba1e9ba2679e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 16d82032164bbdfc89fefbb31988cbb1
SHA1 78436de0a3b09260bd10f8c4d03c70ec58bb7f90
SHA256 c6c73df2fb8f57ad1ccad37087e57e2ea55d22f36d613c97ba4b38de0556a414
SHA512 98df3504e786c9e8b81877264bd185cbb8e46b55ea6e94bffacfbabd23cb2c7ef11098195e06f1d6919403ec9ecc8de2a6736fd5e015d1c8358dd75c62099f0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 91d59ea2f3257a955e2255f336da59bb
SHA1 f138077c1e604bb60062004fa2a4fb0ebbc6be34
SHA256 d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a
SHA512 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 8f7bb44c968ffa609c65b5b9117cc9ed
SHA1 0fd4862a55d0088a7cfdbff65a338e0507fa7d66
SHA256 6f94417de1b1f6d932dc46e660e17bff263e2f0620c0ecb282cac579553eb84d
SHA512 e9d6c64c540317446caf86ffe4af066b6b35c5bca973cf6a8ff6a909ada4e8d69d85a74a10453da95a48e17ecde6a6532e477502b6ec1b6e46a120dea809cff3

memory/224-219-0x0000000006450000-0x0000000006612000-memory.dmp

memory/224-220-0x0000000006620000-0x0000000006B4C000-memory.dmp

memory/4604-222-0x00000000049B0000-0x0000000004AA5000-memory.dmp

memory/5012-223-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5012-221-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1312-224-0x0000000003900000-0x0000000003910000-memory.dmp

memory/4604-225-0x0000000001000000-0x00000000010DE000-memory.dmp

memory/4604-228-0x0000000001000000-0x00000000010DE000-memory.dmp

memory/224-231-0x0000000073200000-0x00000000738EE000-memory.dmp

memory/5012-237-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5012-235-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5012-238-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4604-239-0x0000000001000000-0x00000000010DE000-memory.dmp

memory/5012-241-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1312-243-0x0000000000400000-0x00000000018D6000-memory.dmp

memory/1312-244-0x0000000073200000-0x00000000738EE000-memory.dmp

memory/5012-255-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a