Malware Analysis Report

2025-04-14 07:56

Sample ID 230907-t493jsbg6t
Target JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97
SHA256 9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97
Tags
amadey djvu redline smokeloader lux3 backdoor discovery infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97

Threat Level: Known bad

The file JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97 was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader lux3 backdoor discovery infostealer ransomware trojan

SmokeLoader

RedLine

Djvu Ransomware

Detected Djvu ransomware

Amadey

Downloads MZ/PE file

Modifies file permissions

Loads dropped DLL

Deletes itself

Executes dropped EXE

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-07 16:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-07 16:37

Reported

2023-09-07 16:40

Platform

win7-20230831-en

Max time kernel

46s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2620 set thread context of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2536 set thread context of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 1204 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 1204 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 1204 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 2620 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\11AD.exe C:\Users\Admin\AppData\Local\Temp\11AD.exe
PID 1204 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\1556.exe
PID 1204 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\1556.exe
PID 1204 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\1556.exe
PID 1204 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\1556.exe
PID 1204 wrote to memory of 2544 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2544 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2544 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2544 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2544 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2544 wrote to memory of 2516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 440 wrote to memory of 576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 440 wrote to memory of 576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 440 wrote to memory of 576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 440 wrote to memory of 576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 440 wrote to memory of 576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 440 wrote to memory of 576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 440 wrote to memory of 576 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 1204 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 1204 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 1204 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe
PID 2536 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\22F0.exe C:\Users\Admin\AppData\Local\Temp\22F0.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe

"C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe"

C:\Users\Admin\AppData\Local\Temp\11AD.exe

C:\Users\Admin\AppData\Local\Temp\11AD.exe

C:\Users\Admin\AppData\Local\Temp\11AD.exe

C:\Users\Admin\AppData\Local\Temp\11AD.exe

C:\Users\Admin\AppData\Local\Temp\1556.exe

C:\Users\Admin\AppData\Local\Temp\1556.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1834.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1834.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1C89.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1C89.dll

C:\Users\Admin\AppData\Local\Temp\22F0.exe

C:\Users\Admin\AppData\Local\Temp\22F0.exe

C:\Users\Admin\AppData\Local\Temp\22F0.exe

C:\Users\Admin\AppData\Local\Temp\22F0.exe

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

C:\Users\Admin\AppData\Local\Temp\3144.exe

C:\Users\Admin\AppData\Local\Temp\3144.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6e8adcd8-d9d8-4a64-8f12-9c5958a964c5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3144.exe

C:\Users\Admin\AppData\Local\Temp\3144.exe

C:\Users\Admin\AppData\Local\Temp\22F0.exe

"C:\Users\Admin\AppData\Local\Temp\22F0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\22F0.exe

"C:\Users\Admin\AppData\Local\Temp\22F0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

"C:\Users\Admin\AppData\Local\Temp\2EE2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

"C:\Users\Admin\AppData\Local\Temp\2EE2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6050.exe

C:\Users\Admin\AppData\Local\Temp\6050.exe

C:\Users\Admin\AppData\Local\Temp\6050.exe

C:\Users\Admin\AppData\Local\Temp\6050.exe

C:\Users\Admin\AppData\Local\Temp\11AD.exe

"C:\Users\Admin\AppData\Local\Temp\11AD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\11AD.exe

"C:\Users\Admin\AppData\Local\Temp\11AD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3144.exe

"C:\Users\Admin\AppData\Local\Temp\3144.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3144.exe

"C:\Users\Admin\AppData\Local\Temp\3144.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\83A9.exe

C:\Users\Admin\AppData\Local\Temp\83A9.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\6050.exe

"C:\Users\Admin\AppData\Local\Temp\6050.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\443e00f1-1c01-4059-a5c2-df5b58b2ad95\build3.exe

"C:\Users\Admin\AppData\Local\443e00f1-1c01-4059-a5c2-df5b58b2ad95\build3.exe"

C:\Users\Admin\AppData\Local\443e00f1-1c01-4059-a5c2-df5b58b2ad95\build2.exe

"C:\Users\Admin\AppData\Local\443e00f1-1c01-4059-a5c2-df5b58b2ad95\build2.exe"

C:\Users\Admin\AppData\Local\Temp\E0A8.exe

C:\Users\Admin\AppData\Local\Temp\E0A8.exe

C:\Users\Admin\AppData\Local\6d548fae-9542-4646-aa94-e1e85a94c38f\build2.exe

"C:\Users\Admin\AppData\Local\6d548fae-9542-4646-aa94-e1e85a94c38f\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\1000061001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000061001\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\47F.exe

C:\Users\Admin\AppData\Local\Temp\47F.exe

C:\Users\Admin\AppData\Local\Temp\2C9.exe

C:\Users\Admin\AppData\Local\Temp\2C9.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2CD7.dll

C:\Users\Admin\AppData\Local\Temp\2E2F.exe

C:\Users\Admin\AppData\Local\Temp\2E2F.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2CD7.dll

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /D /T

C:\Users\Admin\AppData\Local\Temp\47F.exe

C:\Users\Admin\AppData\Local\Temp\47F.exe

C:\Users\Admin\AppData\Local\Temp\6AE2.exe

C:\Users\Admin\AppData\Local\Temp\6AE2.exe

C:\Users\Admin\AppData\Local\Temp\6CC6.exe

C:\Users\Admin\AppData\Local\Temp\6CC6.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\70EC.dll

C:\Users\Admin\AppData\Local\Temp\6CC6.exe

C:\Users\Admin\AppData\Local\Temp\6CC6.exe

C:\Users\Admin\AppData\Local\Temp\7449.exe

C:\Users\Admin\AppData\Local\Temp\7449.exe

C:\Users\Admin\AppData\Local\Temp\738D.exe

C:\Users\Admin\AppData\Local\Temp\738D.exe

C:\Users\Admin\AppData\Local\Temp\72D1.exe

C:\Users\Admin\AppData\Local\Temp\72D1.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {04A16BF1-D932-43CE-8EC6-F2C42F5A0106} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\6d548fae-9542-4646-aa94-e1e85a94c38f\build2.exe

"C:\Users\Admin\AppData\Local\6d548fae-9542-4646-aa94-e1e85a94c38f\build2.exe"

C:\Users\Admin\AppData\Local\443e00f1-1c01-4059-a5c2-df5b58b2ad95\build2.exe

"C:\Users\Admin\AppData\Local\443e00f1-1c01-4059-a5c2-df5b58b2ad95\build2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Roaming\gguecbg

C:\Users\Admin\AppData\Roaming\gguecbg

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\70EC.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
MD 176.123.9.142:14845 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
PE 190.187.52.42:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
PE 190.187.52.42:80 colisumy.com tcp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
BG 95.158.162.200:80 zexeq.com tcp
PE 190.187.52.42:80 colisumy.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
BG 95.158.162.200:80 zexeq.com tcp
PE 190.187.52.42:80 colisumy.com tcp

Files

memory/1900-2-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1900-1-0x0000000002400000-0x0000000002500000-memory.dmp

memory/1900-3-0x0000000000400000-0x00000000022EA000-memory.dmp

memory/1204-4-0x0000000002980000-0x0000000002996000-memory.dmp

memory/1900-5-0x0000000000400000-0x00000000022EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

memory/2620-17-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2620-18-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2704-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2704-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2620-21-0x0000000003D20000-0x0000000003E3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

memory/2704-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2704-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1556.exe

MD5 c3fc3220dd39a2450b691dbc06f23cf2
SHA1 0237e6a3daa1a623c801fce75149c36cd64ba503
SHA256 0900e88d7d4150623fa82b4d24ab4ff6d5a8951487c29238366c6bd881927b8e
SHA512 6ef400dadb87d6be43a848b937498cb53dae3720e8b509126e70973eddba820bf2f489577663b3d80d0f865103e500710b9132da2ad1d352bd288a00f8b94b61

C:\Users\Admin\AppData\Local\Temp\1556.exe

MD5 c3fc3220dd39a2450b691dbc06f23cf2
SHA1 0237e6a3daa1a623c801fce75149c36cd64ba503
SHA256 0900e88d7d4150623fa82b4d24ab4ff6d5a8951487c29238366c6bd881927b8e
SHA512 6ef400dadb87d6be43a848b937498cb53dae3720e8b509126e70973eddba820bf2f489577663b3d80d0f865103e500710b9132da2ad1d352bd288a00f8b94b61

memory/2772-36-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1834.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

memory/2772-35-0x00000000003C0000-0x00000000003F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1834.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

C:\Users\Admin\AppData\Local\Temp\1556.exe

MD5 c3fc3220dd39a2450b691dbc06f23cf2
SHA1 0237e6a3daa1a623c801fce75149c36cd64ba503
SHA256 0900e88d7d4150623fa82b4d24ab4ff6d5a8951487c29238366c6bd881927b8e
SHA512 6ef400dadb87d6be43a848b937498cb53dae3720e8b509126e70973eddba820bf2f489577663b3d80d0f865103e500710b9132da2ad1d352bd288a00f8b94b61

memory/2516-44-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2772-45-0x0000000001E30000-0x0000000001E36000-memory.dmp

memory/2772-48-0x00000000746C0000-0x0000000074DAE000-memory.dmp

memory/2516-49-0x00000000000C0000-0x00000000000C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C89.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

\Users\Admin\AppData\Local\Temp\1C89.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

memory/2516-52-0x0000000002310000-0x0000000002423000-memory.dmp

memory/576-54-0x00000000001F0000-0x00000000001F6000-memory.dmp

memory/2772-56-0x00000000047A0000-0x00000000047E0000-memory.dmp

memory/576-65-0x00000000021A0000-0x00000000022B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2516-66-0x0000000002430000-0x000000000252A000-memory.dmp

memory/2516-71-0x0000000002430000-0x000000000252A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2536-74-0x00000000002B0000-0x0000000000342000-memory.dmp

memory/2536-76-0x00000000002B0000-0x0000000000342000-memory.dmp

memory/2516-75-0x0000000002430000-0x000000000252A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2536-77-0x0000000002370000-0x000000000248B000-memory.dmp

memory/1572-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2516-82-0x0000000002430000-0x000000000252A000-memory.dmp

memory/1572-86-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/576-90-0x00000000022C0000-0x00000000023BA000-memory.dmp

memory/576-88-0x00000000022C0000-0x00000000023BA000-memory.dmp

memory/1572-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/576-92-0x00000000022C0000-0x00000000023BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2DC6.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aee6f1695c20a9b0a3eb03af9a27bb74
SHA1 6f029c785f1c58eb77d4fcf5d9d01afd8b76ce9a
SHA256 b34b9e3c9f07281e9a624e1b311ca29d4265d15ec1cabed98d111509cf303669
SHA512 bc9d9d7b436e5726d93c91917cf5eb700d1c84aec66f75d40b40a480dca60a0b6a2543590a9d29cebdee1c555e9a6c32f352e141ebe2bfcb73a882c11012c63f

C:\Users\Admin\AppData\Local\Temp\Tar2F2C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/1624-116-0x00000000002B0000-0x0000000000342000-memory.dmp

memory/1624-117-0x00000000002B0000-0x0000000000342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

\Users\Admin\AppData\Local\Temp\2EE2.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e00aae7cdc6f7fc7fbc43d5858b9555
SHA1 bc926a42f09cda4db754b626caa01346b96304c7
SHA256 a2bc6d015bf58719fd2608f716715e9a05fa818ae23b77ec6c561824913e6eb1
SHA512 a1c75e0a529b06aeb99fddc8c23d28a5b714f4ba7a719744546216631a4006694ec93f467622dbedaaebccbd4b06d39e1171722d99cea0a50fa92546fa247dc8

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 3e5735357db2592800177fcef3435bd8
SHA1 9b1aa119ea04d34e012d3ccb029dd09a881b4811
SHA256 230457d61a28ae8132b6c205e80e84858b8a002e54244018150f4815422f7e49
SHA512 3f5dac3615ea9b983e481a748aa42de009a296d6280d475e8c5225892eb87f6129d16891d017d17bfbcc5a68e19ee6fa3b5adb286291991534a0d8ecfcd7c2ca

memory/2296-160-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2772-159-0x00000000746C0000-0x0000000074DAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3144.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/240-176-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3144.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

\Users\Admin\AppData\Local\Temp\3144.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99a1dd0e9ad480c27eaa09342818f143
SHA1 efae2903729a74e0c9781516ef1401ffdc8bd098
SHA256 17c5da92db721c3452662e3af6f88d67bc5b42275fe7eaf360b941ec2d4fea46
SHA512 7fe37ccf24cf28d5f2e286384f356b46940ad0cdf32de152c112e436a743d70b6207f1169425963ad7d1f56cf62f165482e6136a6b75410d16c7dce82518427e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 ae5be677e505aec1d2ae6ac82539b2e8
SHA1 8b6d31dd6097a32b2f71c134da59f5c6c0cd5d99
SHA256 24239d4a210aa645caf5443aa0fabb214776179114e92cbb612ace0a26e3d09e
SHA512 fe526b2b092ff099f3f8f57717913ddbaabc7c26b3b6b8b206185aa5aba71e3ebf3f1e5d5f2eded0cc2fd4f7b428178800dad61b59e7aa9ce75c431e6a1801e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 c831863c4aa48af47f97f6054b9b6d4b
SHA1 09e600357ef1587fad7c0770e1e1101c256355b2
SHA256 ef06025c1b241e15c575bf3fa90b1fe7c0bbacce6b987ad1a4f77d79497ec73a
SHA512 32def8e2707af07cb46fef206c276c12f72be01149ba91f2c87b048ce16fe44bcba478175243d299da32224297497d1671ec7e0b98569d9b95405bef99053f58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 b48c37414206b33557ce1230461e53ed
SHA1 af289afa0c9ba9044e0db7f77dea94c81f52d3b1
SHA256 5497d30f00ca1b434c2736cfc2d86fe8e552f533a52d04c97b3f115c19345504
SHA512 74f906a24d12d45bf8f7c45ee1aaeead764d99f22d7852de4893a123742ec0ec35d9e43c1aaf965d8185cba434cc789e82a52d36071acc766896447d57b44ce0

C:\Users\Admin\AppData\Local\6e8adcd8-d9d8-4a64-8f12-9c5958a964c5\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

memory/240-161-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/240-183-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3144.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 92a89ec6118067f8f5454089139c6c05
SHA1 d8cc2ea23305317a232a24c29193f70eb1ef8b09
SHA256 fb34bfc13cb9e22e33c97e41d2e7d5725185d0d7e96c895746a503f6849ffdcf
SHA512 79474f2d4b218b2f575b1b36cb1ad314b429d628dad12ea37977c390d7a52bf68c47beb56d5bbeb6e6da1785229d77c7726022563186514eddec496843b85b96

\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/1736-196-0x0000000000220000-0x00000000002B2000-memory.dmp

\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/1736-194-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/1572-191-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1684-190-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2772-205-0x00000000047A0000-0x00000000047E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22F0.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

\Users\Admin\AppData\Local\Temp\2EE2.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

\Users\Admin\AppData\Local\Temp\2EE2.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2296-219-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2704-221-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6050.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

memory/1576-237-0x0000000000220000-0x00000000002B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\2EE2.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/284-225-0x0000000003A90000-0x0000000003B22000-memory.dmp

memory/1684-250-0x0000000000400000-0x0000000000537000-memory.dmp

memory/284-247-0x0000000003A90000-0x0000000003B22000-memory.dmp

memory/1576-266-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3144.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2704-265-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6050.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\2EE2.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

\Users\Admin\AppData\Local\Temp\3144.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

\Users\Admin\AppData\Local\Temp\3144.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\6050.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

\Users\Admin\AppData\Local\Temp\6050.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

\Users\Admin\AppData\Local\Temp\3144.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2260-279-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11AD.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\83A9.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\83A9.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\6050.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

\Users\Admin\AppData\Local\Temp\6050.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\6050.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

\Users\Admin\AppData\Local\6d548fae-9542-4646-aa94-e1e85a94c38f\build2.exe

MD5 e43099bbc23b6340d4585fa2335f3b28
SHA1 a9c28a77eff114229d3b50f4b6e6e5a0e1fb30c7
SHA256 fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255
SHA512 a31df980c95ab55bad1925eed3a68460f689c63ccc33ea458876aaf3aa16ad8b1272247f806a8ce93c2c8461ad4806a309cf623cbf9f6f9829d9b9db1d3ee3e4

C:\Users\Admin\AppData\Local\443e00f1-1c01-4059-a5c2-df5b58b2ad95\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\1000061001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1480-382-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 0a4f5a793a2d9b132c2ca0ddf9042823
SHA1 6bd8770ea7bdcfa79707f3f8aab9ea0423ee819e
SHA256 18efbf3cb9f6d43ea3befea1ba44ab18f38f4ca3e6f0e428d483558252ddaf0d
SHA512 a4cbc2782d731ef827a19881820ac9c593fea25220e7beb33e1cdb83a8dacafcdd64ce3f28fd5b93e017275081fc72e5b802ec37eec2cd8151cb4f1bef20f30b

C:\Users\Admin\AppData\Local\6d548fae-9542-4646-aa94-e1e85a94c38f\build2.exe

MD5 e43099bbc23b6340d4585fa2335f3b28
SHA1 a9c28a77eff114229d3b50f4b6e6e5a0e1fb30c7
SHA256 fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255
SHA512 a31df980c95ab55bad1925eed3a68460f689c63ccc33ea458876aaf3aa16ad8b1272247f806a8ce93c2c8461ad4806a309cf623cbf9f6f9829d9b9db1d3ee3e4

memory/2580-450-0x00000000002B0000-0x0000000000342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\738D.exe

MD5 b3bce1a26099d4e168ce62cbd3f5f1ec
SHA1 c1bc28d236b980b1e0509ca6e27d2bcda0b83780
SHA256 8d1201ed137fe2deb674bbd448638561583695d31395b72c19f4e18a5bd54bdc
SHA512 53ffdba8bfd6019179539c6ca7fbf60adbfad27eccd8643817c108c30aad78ac13cf319268d4b6ec550e2219c0f4c7730119427cb4da40c3ad8719d974efd1a8

C:\Users\Admin\AppData\Local\Temp\7449.exe

MD5 4d08a2f66551dc3946d163939fe36b17
SHA1 35549f98be7ba5ee9fe526e7971e0438e70887b7
SHA256 9b70b231216df1b7631cd47c6ef28aa967b9d79f9e51d25e4e0da27c659300aa
SHA512 b4c8965f2eb40737bb5a60cfce5ea4cd1113a441d9864cdbf446c929a5218c9ac367b8b935b8c42dc9b7a480d67e4d8c2d5734479c910304b530362fd1813901

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-07 16:37

Reported

2023-09-07 16:40

Platform

win10v2004-20230831-en

Max time kernel

57s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 2164 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 3264 wrote to memory of 2164 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 3264 wrote to memory of 2164 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 3264 wrote to memory of 1936 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D53.exe
PID 3264 wrote to memory of 1936 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D53.exe
PID 3264 wrote to memory of 1936 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D53.exe
PID 3264 wrote to memory of 820 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3264 wrote to memory of 820 N/A N/A C:\Windows\system32\regsvr32.exe
PID 820 wrote to memory of 2144 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 820 wrote to memory of 2144 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 820 wrote to memory of 2144 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3264 wrote to memory of 3180 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3264 wrote to memory of 3180 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3180 wrote to memory of 4472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3180 wrote to memory of 4472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3180 wrote to memory of 4472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3264 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 3264 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 3264 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 3264 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\46DD.exe
PID 3264 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\46DD.exe
PID 3264 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\46DD.exe
PID 3264 wrote to memory of 4276 N/A N/A C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 3264 wrote to memory of 4276 N/A N/A C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 3264 wrote to memory of 4276 N/A N/A C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 2164 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\3BAC.exe C:\Users\Admin\AppData\Local\Temp\3BAC.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4548 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cacls.exe C:\Users\Admin\AppData\Local\Temp\42D4.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4476 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\46DD.exe C:\Users\Admin\AppData\Local\Temp\46DD.exe
PID 4476 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\46DD.exe C:\Users\Admin\AppData\Local\Temp\46DD.exe
PID 4476 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\46DD.exe C:\Users\Admin\AppData\Local\Temp\46DD.exe
PID 3264 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\8445.exe
PID 3264 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\8445.exe
PID 3264 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\8445.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4276 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\499D.exe C:\Users\Admin\AppData\Local\Temp\499D.exe
PID 4476 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\46DD.exe C:\Users\Admin\AppData\Local\Temp\46DD.exe
PID 4476 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\46DD.exe C:\Users\Admin\AppData\Local\Temp\46DD.exe
PID 4476 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\46DD.exe C:\Users\Admin\AppData\Local\Temp\46DD.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe

"C:\Users\Admin\AppData\Local\Temp\JC_9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97.exe"

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

C:\Users\Admin\AppData\Local\Temp\3D53.exe

C:\Users\Admin\AppData\Local\Temp\3D53.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3FE4.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3FE4.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\41E9.dll

C:\Users\Admin\AppData\Local\Temp\42D4.exe

C:\Users\Admin\AppData\Local\Temp\42D4.exe

C:\Users\Admin\AppData\Local\Temp\46DD.exe

C:\Users\Admin\AppData\Local\Temp\46DD.exe

C:\Users\Admin\AppData\Local\Temp\499D.exe

C:\Users\Admin\AppData\Local\Temp\499D.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\41E9.dll

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

C:\Users\Admin\AppData\Local\Temp\42D4.exe

C:\Users\Admin\AppData\Local\Temp\42D4.exe

C:\Users\Admin\AppData\Local\Temp\499D.exe

C:\Users\Admin\AppData\Local\Temp\499D.exe

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

C:\Users\Admin\AppData\Local\Temp\46DD.exe

C:\Users\Admin\AppData\Local\Temp\46DD.exe

C:\Users\Admin\AppData\Local\Temp\8445.exe

C:\Users\Admin\AppData\Local\Temp\8445.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f38bab2e-d7c8-4e0d-a7e6-b978148dd6a6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\46DD.exe

"C:\Users\Admin\AppData\Local\Temp\46DD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\42D4.exe

"C:\Users\Admin\AppData\Local\Temp\42D4.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\499D.exe

"C:\Users\Admin\AppData\Local\Temp\499D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\CD57.exe

C:\Users\Admin\AppData\Local\Temp\CD57.exe

C:\Users\Admin\AppData\Local\Temp\21A2.exe

C:\Users\Admin\AppData\Local\Temp\21A2.exe

C:\Users\Admin\AppData\Local\Temp\499D.exe

"C:\Users\Admin\AppData\Local\Temp\499D.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\79F5.dll

C:\Users\Admin\AppData\Local\Temp\8445.exe

C:\Users\Admin\AppData\Local\Temp\8445.exe

C:\Users\Admin\AppData\Local\Temp\42D4.exe

"C:\Users\Admin\AppData\Local\Temp\42D4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\803F.exe

C:\Users\Admin\AppData\Local\Temp\803F.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\79F5.dll

C:\Users\Admin\AppData\Local\Temp\46DD.exe

"C:\Users\Admin\AppData\Local\Temp\46DD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6D71.exe

C:\Users\Admin\AppData\Local\Temp\6D71.exe

C:\Users\Admin\AppData\Roaming\vtrwcch

C:\Users\Admin\AppData\Roaming\vtrwcch

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2148 -ip 2148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1188 -ip 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1336 -ip 1336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 568

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 568

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\6D71.exe

C:\Users\Admin\AppData\Local\Temp\6D71.exe

C:\Users\Admin\AppData\Local\Temp\CD57.exe

C:\Users\Admin\AppData\Local\Temp\CD57.exe

C:\Users\Admin\AppData\Local\Temp\9DCB.exe

C:\Users\Admin\AppData\Local\Temp\9DCB.exe

C:\Users\Admin\AppData\Local\Temp\9FDF.exe

C:\Users\Admin\AppData\Local\Temp\9FDF.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A1B5.dll

C:\Users\Admin\AppData\Local\Temp\A3E8.exe

C:\Users\Admin\AppData\Local\Temp\A3E8.exe

C:\Users\Admin\AppData\Local\Temp\A948.exe

C:\Users\Admin\AppData\Local\Temp\A948.exe

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

"C:\Users\Admin\AppData\Local\Temp\3BAC.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

"C:\Users\Admin\AppData\Local\Temp\3BAC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A1B5.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\9DCB.exe

C:\Users\Admin\AppData\Local\Temp\9DCB.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3508 -ip 3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\8445.exe

"C:\Users\Admin\AppData\Local\Temp\8445.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3620 -ip 3620

C:\Users\Admin\AppData\Local\Temp\9FDF.exe

C:\Users\Admin\AppData\Local\Temp\9FDF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 300

C:\Users\Admin\AppData\Local\Temp\8445.exe

"C:\Users\Admin\AppData\Local\Temp\8445.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3752 -ip 3752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 572

C:\Users\Admin\AppData\Local\Temp\6D71.exe

"C:\Users\Admin\AppData\Local\Temp\6D71.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6D71.exe

"C:\Users\Admin\AppData\Local\Temp\6D71.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4756 -ip 4756

C:\Users\Admin\AppData\Local\Temp\CD57.exe

"C:\Users\Admin\AppData\Local\Temp\CD57.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 568

C:\Users\Admin\AppData\Local\Temp\CD57.exe

"C:\Users\Admin\AppData\Local\Temp\CD57.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4724 -ip 4724

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 568

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\9DCB.exe

"C:\Users\Admin\AppData\Local\Temp\9DCB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9FDF.exe

"C:\Users\Admin\AppData\Local\Temp\9FDF.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 172.67.181.144:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 144.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
PE 190.187.52.42:80 colisumy.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
MD 176.123.9.142:14845 tcp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
GB 51.89.253.22:31098 tcp
GB 51.89.253.22:31098 tcp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 22.253.89.51.in-addr.arpa udp

Files

memory/4980-1-0x0000000002440000-0x0000000002540000-memory.dmp

memory/4980-2-0x0000000003EF0000-0x0000000003EF9000-memory.dmp

memory/4980-3-0x0000000000400000-0x00000000022EA000-memory.dmp

memory/3264-4-0x0000000003420000-0x0000000003436000-memory.dmp

memory/4980-5-0x0000000000400000-0x00000000022EA000-memory.dmp

memory/4980-8-0x0000000003EF0000-0x0000000003EF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\3D53.exe

MD5 c3fc3220dd39a2450b691dbc06f23cf2
SHA1 0237e6a3daa1a623c801fce75149c36cd64ba503
SHA256 0900e88d7d4150623fa82b4d24ab4ff6d5a8951487c29238366c6bd881927b8e
SHA512 6ef400dadb87d6be43a848b937498cb53dae3720e8b509126e70973eddba820bf2f489577663b3d80d0f865103e500710b9132da2ad1d352bd288a00f8b94b61

C:\Users\Admin\AppData\Local\Temp\3D53.exe

MD5 c3fc3220dd39a2450b691dbc06f23cf2
SHA1 0237e6a3daa1a623c801fce75149c36cd64ba503
SHA256 0900e88d7d4150623fa82b4d24ab4ff6d5a8951487c29238366c6bd881927b8e
SHA512 6ef400dadb87d6be43a848b937498cb53dae3720e8b509126e70973eddba820bf2f489577663b3d80d0f865103e500710b9132da2ad1d352bd288a00f8b94b61

C:\Users\Admin\AppData\Local\Temp\3FE4.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

memory/1936-24-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1936-27-0x00000000006D0000-0x0000000000700000-memory.dmp

memory/2144-35-0x0000000010000000-0x000000001020A000-memory.dmp

memory/3264-38-0x0000000008C90000-0x0000000008C91000-memory.dmp

memory/3264-37-0x0000000008C80000-0x0000000008C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41E9.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

memory/3264-33-0x0000000008C80000-0x0000000008C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42D4.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\42D4.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2144-34-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41E9.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

C:\Users\Admin\AppData\Local\Temp\3FE4.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

memory/3264-46-0x0000000008C80000-0x0000000008C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\499D.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\499D.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/3264-52-0x0000000008C80000-0x0000000008C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\499D.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/1936-56-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/3264-59-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-62-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/4472-61-0x0000000002B30000-0x0000000002C43000-memory.dmp

memory/2144-58-0x00000000027C0000-0x00000000028D3000-memory.dmp

memory/3264-63-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-64-0x0000000008AD0000-0x0000000008AE0000-memory.dmp

memory/3264-65-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-55-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/4472-48-0x0000000000D50000-0x0000000000D56000-memory.dmp

memory/3264-67-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-69-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-71-0x0000000008C90000-0x0000000008C91000-memory.dmp

memory/3264-75-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-70-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-76-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/1936-79-0x0000000004AF0000-0x0000000004B02000-memory.dmp

memory/1936-83-0x0000000004C60000-0x0000000004C9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

memory/2164-91-0x00000000040B4000-0x0000000004145000-memory.dmp

memory/3264-96-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-95-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-92-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3980-94-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3980-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2164-88-0x0000000004150000-0x000000000426B000-memory.dmp

memory/3980-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3264-85-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-81-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/2144-78-0x0000000010000000-0x000000001020A000-memory.dmp

memory/1936-77-0x0000000004B50000-0x0000000004C5A000-memory.dmp

memory/1936-74-0x0000000005170000-0x0000000005788000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46DD.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\46DD.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/3264-98-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-99-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/2144-104-0x00000000028E0000-0x00000000029DA000-memory.dmp

memory/2816-109-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42D4.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/3264-106-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-101-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/2816-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3980-102-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3264-100-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/1936-97-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/2144-115-0x00000000028E0000-0x00000000029DA000-memory.dmp

memory/4548-119-0x00000000040F0000-0x000000000420B000-memory.dmp

memory/4472-126-0x0000000002C50000-0x0000000002D4A000-memory.dmp

memory/2144-128-0x00000000028E0000-0x00000000029DA000-memory.dmp

memory/3264-140-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-148-0x0000000008C90000-0x0000000008CDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3264-156-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/4476-155-0x0000000003ED6000-0x0000000003F68000-memory.dmp

memory/3264-150-0x0000000008C80000-0x0000000008C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B1C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4276-145-0x0000000004058000-0x00000000040EA000-memory.dmp

memory/2408-144-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3264-143-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/2328-149-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46DD.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2408-139-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\499D.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\8445.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\8445.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

memory/2328-142-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3264-133-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-127-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-123-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-118-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/2816-120-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2816-114-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4548-113-0x0000000004056000-0x00000000040E8000-memory.dmp

memory/3264-116-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-111-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/4472-110-0x0000000002C50000-0x0000000002D4A000-memory.dmp

memory/1936-157-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/3264-166-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-168-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-170-0x0000000008C80000-0x0000000008C90000-memory.dmp

memory/3264-171-0x0000000008C80000-0x0000000008C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2408-174-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3264-177-0x0000000008C70000-0x0000000008C71000-memory.dmp

memory/2328-178-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3264-165-0x0000000008C80000-0x0000000008C90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 b48c37414206b33557ce1230461e53ed
SHA1 af289afa0c9ba9044e0db7f77dea94c81f52d3b1
SHA256 5497d30f00ca1b434c2736cfc2d86fe8e552f533a52d04c97b3f115c19345504
SHA512 74f906a24d12d45bf8f7c45ee1aaeead764d99f22d7852de4893a123742ec0ec35d9e43c1aaf965d8185cba434cc789e82a52d36071acc766896447d57b44ce0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 591436927f43db6253e9a116f91e2a18
SHA1 f6d43d9768340322c37a07954a0d875d7850c26e
SHA256 f9090561cefcaa1ef13276dd37cf23c94a70019ed59c10db26eae3465e1fea5d
SHA512 dc612fc43f9efe39c00936704fe806061828bdab1c5adba3938d463630a392795652d7cda56b0275384e0335a4891e853294b9ffc3039e524e3c92863cb3f31e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 591436927f43db6253e9a116f91e2a18
SHA1 f6d43d9768340322c37a07954a0d875d7850c26e
SHA256 f9090561cefcaa1ef13276dd37cf23c94a70019ed59c10db26eae3465e1fea5d
SHA512 dc612fc43f9efe39c00936704fe806061828bdab1c5adba3938d463630a392795652d7cda56b0275384e0335a4891e853294b9ffc3039e524e3c92863cb3f31e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 27b88a15e3a9dc71f912bd3b562e916a
SHA1 9eac04e69cc12fb2b8325ad77e986b4a05a309a8
SHA256 2955a1d59b0bd27165384e17a981c7fcd0c1915e634bc3113f912bf063948a43
SHA512 6d33a437c61e19fdad899ac39d9a23aa4d9944f610a58963dc087581e6c20344756ca8df1ec98740ab4988c80f6921e1f95a79d601ff8cae8771f3318141db40

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\f38bab2e-d7c8-4e0d-a7e6-b978148dd6a6\3BAC.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 ae5be677e505aec1d2ae6ac82539b2e8
SHA1 8b6d31dd6097a32b2f71c134da59f5c6c0cd5d99
SHA256 24239d4a210aa645caf5443aa0fabb214776179114e92cbb612ace0a26e3d09e
SHA512 fe526b2b092ff099f3f8f57717913ddbaabc7c26b3b6b8b206185aa5aba71e3ebf3f1e5d5f2eded0cc2fd4f7b428178800dad61b59e7aa9ce75c431e6a1801e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 27b88a15e3a9dc71f912bd3b562e916a
SHA1 9eac04e69cc12fb2b8325ad77e986b4a05a309a8
SHA256 2955a1d59b0bd27165384e17a981c7fcd0c1915e634bc3113f912bf063948a43
SHA512 6d33a437c61e19fdad899ac39d9a23aa4d9944f610a58963dc087581e6c20344756ca8df1ec98740ab4988c80f6921e1f95a79d601ff8cae8771f3318141db40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 b48c37414206b33557ce1230461e53ed
SHA1 af289afa0c9ba9044e0db7f77dea94c81f52d3b1
SHA256 5497d30f00ca1b434c2736cfc2d86fe8e552f533a52d04c97b3f115c19345504
SHA512 74f906a24d12d45bf8f7c45ee1aaeead764d99f22d7852de4893a123742ec0ec35d9e43c1aaf965d8185cba434cc789e82a52d36071acc766896447d57b44ce0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 591436927f43db6253e9a116f91e2a18
SHA1 f6d43d9768340322c37a07954a0d875d7850c26e
SHA256 f9090561cefcaa1ef13276dd37cf23c94a70019ed59c10db26eae3465e1fea5d
SHA512 dc612fc43f9efe39c00936704fe806061828bdab1c5adba3938d463630a392795652d7cda56b0275384e0335a4891e853294b9ffc3039e524e3c92863cb3f31e

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 ae5be677e505aec1d2ae6ac82539b2e8
SHA1 8b6d31dd6097a32b2f71c134da59f5c6c0cd5d99
SHA256 24239d4a210aa645caf5443aa0fabb214776179114e92cbb612ace0a26e3d09e
SHA512 fe526b2b092ff099f3f8f57717913ddbaabc7c26b3b6b8b206185aa5aba71e3ebf3f1e5d5f2eded0cc2fd4f7b428178800dad61b59e7aa9ce75c431e6a1801e8

C:\Users\Admin\AppData\Local\Temp\46DD.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2328-215-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42D4.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\499D.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/2408-220-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2816-221-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD57.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\CD57.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\6D71.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\6D71.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/1936-244-0x0000000002030000-0x0000000002096000-memory.dmp

memory/3480-243-0x0000000003EBE000-0x0000000003F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46DD.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

memory/1936-238-0x0000000005C80000-0x0000000006224000-memory.dmp

memory/1936-229-0x0000000000610000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21A2.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1936-224-0x0000000000590000-0x0000000000606000-memory.dmp

memory/3868-262-0x0000000003F74000-0x0000000004006000-memory.dmp

memory/3052-265-0x0000000004055000-0x00000000040E6000-memory.dmp

memory/4496-263-0x00000000024E1000-0x0000000002573000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79F5.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

C:\Users\Admin\AppData\Local\Temp\79F5.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

C:\Users\Admin\AppData\Local\Temp\8445.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\42D4.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\499D.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\21A2.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\803F.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\803F.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\f38bab2e-d7c8-4e0d-a7e6-b978148dd6a6\3BAC.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\6D71.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Roaming\vtrwcch

MD5 8b612e3c3cb9dde4f7f9094a547072b8
SHA1 22fbd8dd4604a6e278f570588dc948c13b675998
SHA256 9f574dfa7671fdf8d4dc184ad6af97f9124a2b6e8e7c5ab7e672faed08d1af97
SHA512 e0ca6335f66b1f1d3022f0eb1b24088df5b8b865ce811f8f3130afd39f9fa1c3002dd2d25e576f624b5e0127a060ca5cddb319f2d1a1f57a73bfa0dbed0046e5

C:\Users\Admin\AppData\Local\Temp\9DCB.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\9DCB.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\CD57.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\A1B5.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

C:\Users\Admin\AppData\Local\Temp\A948.exe

MD5 b3bce1a26099d4e168ce62cbd3f5f1ec
SHA1 c1bc28d236b980b1e0509ca6e27d2bcda0b83780
SHA256 8d1201ed137fe2deb674bbd448638561583695d31395b72c19f4e18a5bd54bdc
SHA512 53ffdba8bfd6019179539c6ca7fbf60adbfad27eccd8643817c108c30aad78ac13cf319268d4b6ec550e2219c0f4c7730119427cb4da40c3ad8719d974efd1a8

C:\Users\Admin\AppData\Local\Temp\3BAC.exe

MD5 d34ea3f054f0bdb963c56a4126f0b4c1
SHA1 ddc10a448dd9787e91507bec5755a3aa26fb9865
SHA256 e124b487afa4aeb709f2c0162d0e86030dbab2f61a9bd96d83f620c2b70a9935
SHA512 8b8eca5f46f9bf590b60ac072b7194e1e0f3f98aff46f3b55b665b79ba3c054b078586661272ff768132548dbacba4f5b3d04527ce2e16eaefbb0a6a3b2e6395

C:\Users\Admin\AppData\Local\Temp\A3E8.exe

MD5 b3bce1a26099d4e168ce62cbd3f5f1ec
SHA1 c1bc28d236b980b1e0509ca6e27d2bcda0b83780
SHA256 8d1201ed137fe2deb674bbd448638561583695d31395b72c19f4e18a5bd54bdc
SHA512 53ffdba8bfd6019179539c6ca7fbf60adbfad27eccd8643817c108c30aad78ac13cf319268d4b6ec550e2219c0f4c7730119427cb4da40c3ad8719d974efd1a8

C:\Users\Admin\AppData\Local\Temp\A1B5.dll

MD5 3e8c26a38f95046e1b28401aa9a2a8fc
SHA1 de64ba959a7d63044d051ec334e45f0820a7ffe4
SHA256 5cc520170f744fa5a071b3dcccd28d080a26fea6ffcf516c17d803ef2505a912
SHA512 d3c273d02309dd6d49f292fed3f9596ab69dc9a8661644ee72e8f9b6f1335771374cdd16e40c47e196c06daf1a2f25ad3c5eb844a6c146d79d11a971dad314e0

C:\Users\Admin\AppData\Local\Temp\A3E8.exe

MD5 b3bce1a26099d4e168ce62cbd3f5f1ec
SHA1 c1bc28d236b980b1e0509ca6e27d2bcda0b83780
SHA256 8d1201ed137fe2deb674bbd448638561583695d31395b72c19f4e18a5bd54bdc
SHA512 53ffdba8bfd6019179539c6ca7fbf60adbfad27eccd8643817c108c30aad78ac13cf319268d4b6ec550e2219c0f4c7730119427cb4da40c3ad8719d974efd1a8

C:\Users\Admin\AppData\Local\Temp\9FDF.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf

C:\Users\Admin\AppData\Local\Temp\9FDF.exe

MD5 2ea7681ac788d969e7e08bcdd98905cb
SHA1 ed4763e2ba4bdb18fc0516e7baf103e75e79783b
SHA256 61c6df46b546a54d5562b2d6472c8c5fc387adfeb683df341c777bb58498c35f
SHA512 e6a9044569715c6e5dfd37f0d886becba174a000304b71b7d15a96949fa49e81598fc98f6bc3c3456793d870b0020296ce32f65066564d03a437e01c920d89bf