Malware Analysis Report

2025-04-14 07:55

Sample ID 230910-ylyn1sbd25
Target file.exe
SHA256 a8b91c111eccc6225f33b06f8ff5e5ec0093df0ec35db93fccd98136dbb65e94
Tags
amadey djvu redline smokeloader amadey_api backdoor discovery evasion infostealer ransomware trojan logsdiller cloud (tg: @logsdillabot) smokiez_test
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8b91c111eccc6225f33b06f8ff5e5ec0093df0ec35db93fccd98136dbb65e94

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader amadey_api backdoor discovery evasion infostealer ransomware trojan logsdiller cloud (tg: @logsdillabot) smokiez_test

Amadey

Detected Djvu ransomware

Djvu Ransomware

SmokeLoader

RedLine

Stops running service(s)

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Uses the VBS compiler for execution

Loads dropped DLL

Modifies file permissions

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 19:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 19:53

Reported

2023-09-10 19:55

Platform

win7-20230831-en

Max time kernel

47s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Uses the VBS compiler for execution

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1988 set thread context of 944 N/A C:\Users\Admin\AppData\Local\Temp\169C.exe C:\Users\Admin\AppData\Local\Temp\169C.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\169C.exe
PID 1200 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\169C.exe
PID 1200 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\169C.exe
PID 1200 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\169C.exe
PID 1200 wrote to memory of 832 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 832 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 832 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 832 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 832 N/A N/A C:\Windows\system32\regsvr32.exe
PID 832 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 832 wrote to memory of 2008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B7E.exe
PID 1200 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B7E.exe
PID 1200 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B7E.exe
PID 1200 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B7E.exe
PID 1200 wrote to memory of 2108 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C98.exe
PID 1200 wrote to memory of 2108 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C98.exe
PID 1200 wrote to memory of 2108 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C98.exe
PID 1200 wrote to memory of 2108 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C98.exe
PID 1200 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E9C.exe
PID 1200 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E9C.exe
PID 1200 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E9C.exe
PID 1200 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E9C.exe
PID 1200 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EA4.exe
PID 1200 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EA4.exe
PID 1200 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EA4.exe
PID 1200 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EA4.exe
PID 2696 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2EA4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2696 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2EA4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2696 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2EA4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2696 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2EA4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2624 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2624 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2624 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2624 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2624 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2712 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\169C.exe

C:\Users\Admin\AppData\Local\Temp\169C.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1A26.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1A26.dll

C:\Users\Admin\AppData\Local\Temp\1B7E.exe

C:\Users\Admin\AppData\Local\Temp\1B7E.exe

C:\Users\Admin\AppData\Local\Temp\1C98.exe

C:\Users\Admin\AppData\Local\Temp\1C98.exe

C:\Users\Admin\AppData\Local\Temp\1E9C.exe

C:\Users\Admin\AppData\Local\Temp\1E9C.exe

C:\Users\Admin\AppData\Local\Temp\2EA4.exe

C:\Users\Admin\AppData\Local\Temp\2EA4.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\40ED.exe

C:\Users\Admin\AppData\Local\Temp\40ED.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\44D4.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\44D4.dll

C:\Users\Admin\AppData\Local\Temp\462C.exe

C:\Users\Admin\AppData\Local\Temp\462C.exe

C:\Users\Admin\AppData\Local\Temp\4811.exe

C:\Users\Admin\AppData\Local\Temp\4811.exe

C:\Users\Admin\AppData\Local\Temp\169C.exe

C:\Users\Admin\AppData\Local\Temp\169C.exe

C:\Users\Admin\AppData\Local\Temp\4A24.exe

C:\Users\Admin\AppData\Local\Temp\4A24.exe

C:\Users\Admin\AppData\Local\Temp\4BF9.exe

C:\Users\Admin\AppData\Local\Temp\4BF9.exe

C:\Users\Admin\AppData\Local\Temp\4FD1.exe

C:\Users\Admin\AppData\Local\Temp\4FD1.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"

C:\Users\Admin\AppData\Local\Temp\6130.exe

C:\Users\Admin\AppData\Local\Temp\6130.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\66DC.dll

C:\Users\Admin\AppData\Local\Temp\68B1.exe

C:\Users\Admin\AppData\Local\Temp\68B1.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4bff1002-486a-47aa-9e10-17cd10f114a5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\70FC.exe

C:\Users\Admin\AppData\Local\Temp\70FC.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {501493B6-4411-471E-999E-F4BFA9B1A87E} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"

C:\Users\Admin\AppData\Local\Temp\1000068001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000068001\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\66DC.dll

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\7A5F.exe

C:\Users\Admin\AppData\Local\Temp\7A5F.exe

C:\Users\Admin\AppData\Local\Temp\169C.exe

"C:\Users\Admin\AppData\Local\Temp\169C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MX 189.232.25.209:80 colisumy.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
MX 189.232.25.209:80 colisumy.com tcp
NL 194.169.175.232:80 194.169.175.232 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
MX 189.232.25.209:80 colisumy.com tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 amadapi.tuktuk.ug udp
NL 85.209.3.13:11290 amadapi.tuktuk.ug tcp
NL 85.209.3.13:11290 amadapi.tuktuk.ug tcp

Files

memory/1408-0-0x0000000000220000-0x0000000000235000-memory.dmp

memory/1408-1-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1408-2-0x0000000000400000-0x0000000002408000-memory.dmp

memory/1200-3-0x0000000002700000-0x0000000002716000-memory.dmp

memory/1408-7-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1408-4-0x0000000000400000-0x0000000002408000-memory.dmp

memory/1408-8-0x0000000000220000-0x0000000000235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\169C.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\169C.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\1A26.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

C:\Users\Admin\AppData\Local\Temp\1B7E.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\1B7E.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\1C98.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

\Users\Admin\AppData\Local\Temp\1A26.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

memory/2008-34-0x0000000000110000-0x0000000000116000-memory.dmp

memory/2008-35-0x0000000010000000-0x0000000010212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E9C.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\2EA4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2EA4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2008-54-0x0000000002300000-0x000000000240D000-memory.dmp

memory/2008-55-0x00000000009C0000-0x0000000000AB3000-memory.dmp

memory/2008-58-0x00000000009C0000-0x0000000000AB3000-memory.dmp

memory/2008-59-0x00000000009C0000-0x0000000000AB3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\40ED.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\44D4.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

C:\Users\Admin\AppData\Local\Temp\462C.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

memory/1988-76-0x0000000003CF0000-0x0000000003E0B000-memory.dmp

memory/1988-75-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4811.exe

MD5 c0afe7d89543e251be8cfd3886be6272
SHA1 45e83d6713ae45eb2d2224a85fcbecbda35fed29
SHA256 addc4e2c91235de0b329af0633071d768406ccbb6b43d7b95a13474119b1ab96
SHA512 15460b420200db15079a3e4aff9b9cdd04fb5ee7e200ab0c0cde3698017bd551b0b0a60e861b92404bba8ac0ec590a673c20e3342b497321945af39200104dbd

\Users\Admin\AppData\Local\Temp\169C.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\169C.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

memory/944-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/944-85-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\169C.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

memory/944-88-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\44D4.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

memory/2200-91-0x0000000000120000-0x0000000000126000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4A24.exe

MD5 2b498b3902d5116128b410a3ed895559
SHA1 c3eb741abfc77173d465d1eb06f1d9ef79df6efc
SHA256 4f5949d4f29acac886fc57e87649c031edcb2e0b675fd9537b5e3fc736b93edf
SHA512 66e7dd7893d15640967bfc33a5eddb055dacf2e19a54357137dc0e2ccbff20f6437c27a2f4b0cf6e13ac0d3c343661769c632ad59c63684880850217a3eada55

memory/944-97-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4BF9.exe

MD5 2b498b3902d5116128b410a3ed895559
SHA1 c3eb741abfc77173d465d1eb06f1d9ef79df6efc
SHA256 4f5949d4f29acac886fc57e87649c031edcb2e0b675fd9537b5e3fc736b93edf
SHA512 66e7dd7893d15640967bfc33a5eddb055dacf2e19a54357137dc0e2ccbff20f6437c27a2f4b0cf6e13ac0d3c343661769c632ad59c63684880850217a3eada55

C:\Users\Admin\AppData\Local\Temp\4BF9.exe

MD5 2b498b3902d5116128b410a3ed895559
SHA1 c3eb741abfc77173d465d1eb06f1d9ef79df6efc
SHA256 4f5949d4f29acac886fc57e87649c031edcb2e0b675fd9537b5e3fc736b93edf
SHA512 66e7dd7893d15640967bfc33a5eddb055dacf2e19a54357137dc0e2ccbff20f6437c27a2f4b0cf6e13ac0d3c343661769c632ad59c63684880850217a3eada55

C:\Users\Admin\AppData\Local\Temp\4FD1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2200-108-0x00000000021F0000-0x00000000022FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

memory/2200-119-0x0000000002300000-0x00000000023F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

C:\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

memory/2200-127-0x0000000002300000-0x00000000023F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/2200-134-0x0000000002300000-0x00000000023F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/2624-142-0x00000000033F0000-0x000000000354C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/2624-144-0x00000000033F0000-0x000000000354C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

memory/1768-151-0x0000000001090000-0x00000000011EC000-memory.dmp

memory/1768-152-0x0000000001090000-0x00000000011EC000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

memory/2624-162-0x0000000003A30000-0x0000000004298000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

C:\Users\Admin\AppData\Local\Temp\6130.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

memory/952-174-0x00000000002F0000-0x0000000000B58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

C:\Users\Admin\AppData\Local\Temp\Cab6200.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/952-188-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

memory/952-189-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

memory/952-190-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/952-187-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

memory/952-192-0x0000000076E10000-0x0000000076FB9000-memory.dmp

memory/952-198-0x000007FE80010000-0x000007FE80011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68B1.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 78724fd5de931eb917b1b7780ffe8b6e
SHA1 35c07e6a8c691074391d777542f1456e6bf77779
SHA256 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
SHA512 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24

memory/952-203-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/952-215-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/952-216-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/952-217-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/2624-225-0x00000000033F0000-0x000000000354C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar6B17.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/952-231-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/952-218-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/952-232-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/952-233-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/952-235-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/1788-242-0x0000000000080000-0x00000000000B0000-memory.dmp

memory/1788-241-0x0000000000080000-0x00000000000B0000-memory.dmp

memory/944-245-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1788-247-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\70FC.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

memory/952-249-0x00000000002F0000-0x0000000000B58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

memory/1788-259-0x0000000000080000-0x00000000000B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70FC.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

\Users\Admin\AppData\Local\Temp\70FC.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

memory/1788-260-0x0000000000080000-0x00000000000B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000068001\aafg31.exe

MD5 d27a1e32e78580ea15a4cf5119bc2907
SHA1 ffe9ae4c1622c95eca2eab429b99361d4d7a29fe
SHA256 fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5
SHA512 bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de

memory/1768-270-0x0000000001090000-0x00000000011EC000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/2624-274-0x0000000003A30000-0x0000000004298000-memory.dmp

memory/2624-276-0x0000000003F30000-0x000000000408C000-memory.dmp

memory/2700-290-0x0000000000010000-0x000000000016C000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/2624-313-0x00000000042D0000-0x000000000442C000-memory.dmp

memory/2144-315-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/2120-317-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/2144-318-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

memory/2624-316-0x00000000042D0000-0x0000000004B38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70FC.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

\Users\Admin\AppData\Local\Temp\1000068001\aafg31.exe

MD5 d27a1e32e78580ea15a4cf5119bc2907
SHA1 ffe9ae4c1622c95eca2eab429b99361d4d7a29fe
SHA256 fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5
SHA512 bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de

memory/952-314-0x00000000002F0000-0x0000000000B58000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/952-302-0x0000000076E10000-0x0000000076FB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

C:\Users\Admin\AppData\Local\Temp\7A5F.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

\Users\Admin\AppData\Local\Temp\7A5F.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

memory/2624-292-0x0000000004140000-0x00000000049A8000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

memory/2120-337-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/2120-348-0x00000000002F0000-0x0000000000B58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

memory/2120-350-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/2120-349-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/2120-347-0x00000000002F0000-0x0000000000B58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

memory/1088-358-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1088-369-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2120-367-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/2120-364-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/2120-359-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/336-360-0x00000000000E0000-0x0000000000121000-memory.dmp

memory/2120-354-0x00000000002F0000-0x0000000000B58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 78724fd5de931eb917b1b7780ffe8b6e
SHA1 35c07e6a8c691074391d777542f1456e6bf77779
SHA256 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
SHA512 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24

memory/2144-332-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000068001\aafg31.exe

MD5 d27a1e32e78580ea15a4cf5119bc2907
SHA1 ffe9ae4c1622c95eca2eab429b99361d4d7a29fe
SHA256 fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5
SHA512 bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de

\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 78724fd5de931eb917b1b7780ffe8b6e
SHA1 35c07e6a8c691074391d777542f1456e6bf77779
SHA256 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
SHA512 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24

\Users\Admin\AppData\Local\Temp\1000068001\aafg31.exe

MD5 d27a1e32e78580ea15a4cf5119bc2907
SHA1 ffe9ae4c1622c95eca2eab429b99361d4d7a29fe
SHA256 fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5
SHA512 bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de

\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 78724fd5de931eb917b1b7780ffe8b6e
SHA1 35c07e6a8c691074391d777542f1456e6bf77779
SHA256 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
SHA512 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24

C:\Users\Admin\AppData\Local\Temp\66DC.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

memory/2488-371-0x00000000011D0000-0x0000000001264000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A5F.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

memory/952-285-0x00000000002F0000-0x0000000000B58000-memory.dmp

memory/2624-289-0x0000000003F30000-0x000000000408C000-memory.dmp

memory/2700-396-0x0000000000010000-0x000000000016C000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/952-288-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A5F.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/2488-406-0x0000000000140000-0x0000000000146000-memory.dmp

\Users\Admin\AppData\Local\Temp\7A5F.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

memory/2488-408-0x00000000005E0000-0x00000000005FA000-memory.dmp

memory/1088-409-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2488-428-0x000000001B2A0000-0x000000001B328000-memory.dmp

memory/1088-438-0x0000000000380000-0x0000000000386000-memory.dmp

memory/1908-439-0x00000000000A0000-0x0000000000134000-memory.dmp

memory/856-449-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2488-486-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

memory/2120-510-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

memory/1784-515-0x0000000000010000-0x000000000016C000-memory.dmp

memory/2120-516-0x0000000076E10000-0x0000000076FB9000-memory.dmp

memory/2144-517-0x0000000076E10000-0x0000000076FB9000-memory.dmp

memory/2624-518-0x0000000003B40000-0x0000000004552000-memory.dmp

memory/2624-522-0x0000000004560000-0x0000000004F72000-memory.dmp

memory/336-523-0x000000013FF10000-0x0000000140922000-memory.dmp

memory/2728-525-0x000000013FF10000-0x0000000140922000-memory.dmp

memory/2728-527-0x000000013FF10000-0x0000000140922000-memory.dmp

memory/944-539-0x0000000000400000-0x0000000000537000-memory.dmp

memory/336-662-0x000000013FF10000-0x0000000140922000-memory.dmp

memory/1788-668-0x0000000072DC0000-0x00000000734AE000-memory.dmp

memory/2624-675-0x00000000036E0000-0x00000000040F2000-memory.dmp

memory/2540-681-0x000000013FF10000-0x0000000140922000-memory.dmp

memory/2540-683-0x000000013FF10000-0x0000000140922000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UYA3Z2DYLVGUQ5HZ6M80.temp

MD5 215c5b719358b930d8b300539141238f
SHA1 033ee03be9b9bce5033db1d0dc0768e61e5735cc
SHA256 6511d067bde7b1ab2d223d41ad89e30dd9bc24785c5efc13f0c096d9b4a3f74d
SHA512 4667bb48431bb7bc40e45f146b2852e60229191158fc3fa19415a43ee04985e3beb763f5157775fb9475ce4808d49d7f17f9bd7a9be580283e17fcabcc779a42

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 19:53

Reported

2023-09-10 19:55

Platform

win10v2004-20230831-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Uses the VBS compiler for execution

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 3464 N/A N/A C:\Users\Admin\AppData\Local\Temp\306D.exe
PID 3120 wrote to memory of 3464 N/A N/A C:\Users\Admin\AppData\Local\Temp\306D.exe
PID 3120 wrote to memory of 3464 N/A N/A C:\Users\Admin\AppData\Local\Temp\306D.exe
PID 3120 wrote to memory of 2504 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3120 wrote to memory of 2504 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2504 wrote to memory of 3340 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 3340 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 3340 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3120 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\3428.exe
PID 3120 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\3428.exe
PID 3120 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\3428.exe
PID 3120 wrote to memory of 968 N/A N/A C:\Users\Admin\AppData\Local\Temp\3542.exe
PID 3120 wrote to memory of 968 N/A N/A C:\Users\Admin\AppData\Local\Temp\3542.exe
PID 3120 wrote to memory of 968 N/A N/A C:\Users\Admin\AppData\Local\Temp\3542.exe
PID 3120 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\Temp\366C.exe
PID 3120 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\Temp\366C.exe
PID 3120 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\Temp\366C.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\306D.exe

C:\Users\Admin\AppData\Local\Temp\306D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\333C.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\333C.dll

C:\Users\Admin\AppData\Local\Temp\3428.exe

C:\Users\Admin\AppData\Local\Temp\3428.exe

C:\Users\Admin\AppData\Local\Temp\3542.exe

C:\Users\Admin\AppData\Local\Temp\3542.exe

C:\Users\Admin\AppData\Local\Temp\366C.exe

C:\Users\Admin\AppData\Local\Temp\366C.exe

C:\Users\Admin\AppData\Local\Temp\3D24.exe

C:\Users\Admin\AppData\Local\Temp\3D24.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\4FA3.exe

C:\Users\Admin\AppData\Local\Temp\4FA3.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\536D.dll

C:\Users\Admin\AppData\Local\Temp\55A0.exe

C:\Users\Admin\AppData\Local\Temp\55A0.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\536D.dll

C:\Users\Admin\AppData\Local\Temp\58AE.exe

C:\Users\Admin\AppData\Local\Temp\58AE.exe

C:\Users\Admin\AppData\Local\Temp\5AE2.exe

C:\Users\Admin\AppData\Local\Temp\5AE2.exe

C:\Users\Admin\AppData\Local\Temp\5CE7.exe

C:\Users\Admin\AppData\Local\Temp\5CE7.exe

C:\Users\Admin\AppData\Local\Temp\6004.exe

C:\Users\Admin\AppData\Local\Temp\6004.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\80EB.exe

C:\Users\Admin\AppData\Local\Temp\80EB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8DAE.dll

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\964A.exe

C:\Users\Admin\AppData\Local\Temp\964A.exe

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8DAE.dll

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\C20E.exe

C:\Users\Admin\AppData\Local\Temp\C20E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2948 -ip 2948

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3344 -ip 3344

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"

C:\Users\Admin\AppData\Local\Temp\D103.exe

C:\Users\Admin\AppData\Local\Temp\D103.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 148

C:\Users\Admin\AppData\Local\Temp\1000068001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000068001\aafg31.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MX 189.232.25.209:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 209.25.232.189.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
MX 189.232.25.209:80 colisumy.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
MX 189.232.25.209:80 colisumy.com tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 254.27.214.95.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 amadapi.tuktuk.ug udp
NL 85.209.3.13:11290 amadapi.tuktuk.ug tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 13.3.209.85.in-addr.arpa udp
NL 194.169.175.232:45450 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp

Files

memory/2904-0-0x0000000004010000-0x0000000004025000-memory.dmp

memory/2904-1-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/2904-2-0x0000000000400000-0x0000000002408000-memory.dmp

memory/2904-3-0x0000000000400000-0x0000000002408000-memory.dmp

memory/3120-4-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

memory/2904-5-0x0000000000400000-0x0000000002408000-memory.dmp

memory/2904-8-0x0000000004010000-0x0000000004025000-memory.dmp

memory/2904-9-0x00000000001C0000-0x00000000001C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\306D.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\306D.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\333C.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

C:\Users\Admin\AppData\Local\Temp\3428.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\3428.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\333C.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

C:\Users\Admin\AppData\Local\Temp\3542.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\366C.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\3542.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\366C.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\366C.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

memory/3340-33-0x00000000006C0000-0x00000000006C6000-memory.dmp

memory/3340-32-0x0000000010000000-0x0000000010212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3D24.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3D24.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4FA3.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\4FA3.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\536D.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

C:\Users\Admin\AppData\Local\Temp\55A0.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\55A0.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\58AE.exe

MD5 c0afe7d89543e251be8cfd3886be6272
SHA1 45e83d6713ae45eb2d2224a85fcbecbda35fed29
SHA256 addc4e2c91235de0b329af0633071d768406ccbb6b43d7b95a13474119b1ab96
SHA512 15460b420200db15079a3e4aff9b9cdd04fb5ee7e200ab0c0cde3698017bd551b0b0a60e861b92404bba8ac0ec590a673c20e3342b497321945af39200104dbd

memory/3340-63-0x0000000002640000-0x000000000274D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5CE7.exe

MD5 2b498b3902d5116128b410a3ed895559
SHA1 c3eb741abfc77173d465d1eb06f1d9ef79df6efc
SHA256 4f5949d4f29acac886fc57e87649c031edcb2e0b675fd9537b5e3fc736b93edf
SHA512 66e7dd7893d15640967bfc33a5eddb055dacf2e19a54357137dc0e2ccbff20f6437c27a2f4b0cf6e13ac0d3c343661769c632ad59c63684880850217a3eada55

C:\Users\Admin\AppData\Local\Temp\5AE2.exe

MD5 2b498b3902d5116128b410a3ed895559
SHA1 c3eb741abfc77173d465d1eb06f1d9ef79df6efc
SHA256 4f5949d4f29acac886fc57e87649c031edcb2e0b675fd9537b5e3fc736b93edf
SHA512 66e7dd7893d15640967bfc33a5eddb055dacf2e19a54357137dc0e2ccbff20f6437c27a2f4b0cf6e13ac0d3c343661769c632ad59c63684880850217a3eada55

C:\Users\Admin\AppData\Local\Temp\536D.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

C:\Users\Admin\AppData\Local\Temp\6004.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\6004.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

memory/3592-82-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/3340-81-0x0000000010000000-0x0000000010212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\58AE.exe

MD5 c0afe7d89543e251be8cfd3886be6272
SHA1 45e83d6713ae45eb2d2224a85fcbecbda35fed29
SHA256 addc4e2c91235de0b329af0633071d768406ccbb6b43d7b95a13474119b1ab96
SHA512 15460b420200db15079a3e4aff9b9cdd04fb5ee7e200ab0c0cde3698017bd551b0b0a60e861b92404bba8ac0ec590a673c20e3342b497321945af39200104dbd

C:\Users\Admin\AppData\Local\Temp\5AE2.exe

MD5 2b498b3902d5116128b410a3ed895559
SHA1 c3eb741abfc77173d465d1eb06f1d9ef79df6efc
SHA256 4f5949d4f29acac886fc57e87649c031edcb2e0b675fd9537b5e3fc736b93edf
SHA512 66e7dd7893d15640967bfc33a5eddb055dacf2e19a54357137dc0e2ccbff20f6437c27a2f4b0cf6e13ac0d3c343661769c632ad59c63684880850217a3eada55

C:\Users\Admin\AppData\Local\Temp\5CE7.exe

MD5 2b498b3902d5116128b410a3ed895559
SHA1 c3eb741abfc77173d465d1eb06f1d9ef79df6efc
SHA256 4f5949d4f29acac886fc57e87649c031edcb2e0b675fd9537b5e3fc736b93edf
SHA512 66e7dd7893d15640967bfc33a5eddb055dacf2e19a54357137dc0e2ccbff20f6437c27a2f4b0cf6e13ac0d3c343661769c632ad59c63684880850217a3eada55

C:\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

C:\Users\Admin\AppData\Local\Temp\1000066001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/3340-99-0x0000000002750000-0x0000000002843000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

memory/3340-106-0x0000000002750000-0x0000000002843000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\80EB.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\80EB.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

memory/3152-122-0x0000000000730000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\80EB.exe

MD5 2a64053844f57a51b2b4de5a29bef9f0
SHA1 257693e819ebba57c76fd1c74bbadc7d376b3629
SHA256 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61
SHA512 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

memory/840-138-0x00000000005C0000-0x0000000000E28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\964A.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

memory/2500-121-0x00000000006B0000-0x000000000080C000-memory.dmp

memory/3340-150-0x0000000002750000-0x0000000002843000-memory.dmp

memory/3152-151-0x0000000072A40000-0x00000000731F0000-memory.dmp

memory/2500-149-0x00000000006B0000-0x000000000080C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 453b3bcc95b809375ac21e6c41ccb2a2
SHA1 acacfb2ed37a3e8c5be5a30fc9da8c30a0f46ee1
SHA256 58910fe03786775f42d51623eb0666527d1d3fca2995a8638d16b2369b2b23a8
SHA512 c8e17bdfff14a98a1c6955aa399cc4dba0c6d578358554fc8204def095cea64cad1baf2a7f3addba6c7e1706f9d2c7bca759246ac2d698fe407a21bed3ee48b7

C:\Users\Admin\AppData\Local\Temp\964A.exe

MD5 b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d
SHA1 18845f37a2ffa83d62eed48f608019b1200f5ee2
SHA256 a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46
SHA512 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

C:\Users\Admin\AppData\Local\Temp\8DAE.dll

MD5 b7b33e8ed9faa20ab4708d7a3592127b
SHA1 5c1a9ee525bfc059ecb5f0990581cd2f74bc4ea2
SHA256 936e4215f236fb15f27bc5fe8e365c8a6e6404015e7d07d6c43e2ae117e965b7
SHA512 40bade5a1e7d9b5391a61f43b9b646ecdf55710ec27dd509694d7c33b57d77e19d48587b89a634300a8f14f22c2ea591411225540f895cc745d06503af96bdfd

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/840-160-0x00007FFAD2B00000-0x00007FFAD2DC9000-memory.dmp

memory/840-166-0x00007FFA80000000-0x00007FFA80002000-memory.dmp

memory/840-164-0x00007FFAD2B00000-0x00007FFAD2DC9000-memory.dmp

memory/840-165-0x00000000005C0000-0x0000000000E28000-memory.dmp

memory/840-174-0x00000000005C0000-0x0000000000E28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 fc1fc33ab7a3155760bb302f2fc129ac
SHA1 62d415a4f0f3b7c04cb427a10c92353f053f7242
SHA256 045cbe0b2437bfd12e47811e77caa93a906444d44646997985cdff3b196e0ca1
SHA512 acdbedd6aef15516c98de9c4e9ea73859be8fd4bc12417a375347a7a9ad47dfb8a3c2b62d8c1620038c0fc4c637be1b187d1d7683f5c27c8035ed06b0600fb21

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 a55bf438ab1993e80ddf15f89258b46e
SHA1 42d13890f0fb591ea80b1356bf949bfc89657b02
SHA256 27c92dfb54fb3516edb55e8c10405f437584c889a8570e3123a08033056f8cee
SHA512 b1f1bae871f7d84ca22efbfda772ffa57a3601a01d3d491c08313b02ffe63e431695d302296fd69aedf61691abe8930a72f0305ef85533dd88a9436aecbec7c0

C:\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8dccee3ea9a2d361d34c4069eb862866
SHA1 74e25c0e39a1aab417980a730f8d40e94e9dfa26
SHA256 64224ac310558233606436c2bbc4466a4817ca1977c57f09bc386eb56eb0766d
SHA512 ece760b7142ebfcab8f4f2d5e520084a081b3a0cd7ae1f35e7d7de2224e6b22bca6c8fa457513920177e2b858ee4292789b630780b16f2691a5320b560576a2a

memory/3152-179-0x00000000052C0000-0x00000000058D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8DAE.dll

MD5 7121243553e070a256bbe2cf28006cf0
SHA1 9d1c01cba2d186551df6ef75031aaeda8db5136c
SHA256 f4b6ab2acbda78fe3b9fb1c7a3cb97b3540769f41a863141b4745ae16fb91937
SHA512 dce4dbe40781435ca3ce6d7cf1ad6fd6e4b0c958b2d593595de978a27b08d1e05b7cebca94de014f1551b8fb78cbd44502e553d3f07f4a3463ccd5220c3869f4

memory/840-178-0x00000000005C0000-0x0000000000E28000-memory.dmp

memory/840-184-0x00000000005C0000-0x0000000000E28000-memory.dmp

memory/1692-192-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2080-191-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3152-188-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2232-181-0x00007FF6F9D40000-0x00007FF6FA752000-memory.dmp

memory/3152-180-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

memory/3152-197-0x0000000004D50000-0x0000000004D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C20E.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

memory/2080-208-0x0000000072A40000-0x00000000731F0000-memory.dmp

memory/2232-207-0x0000014143090000-0x00000141430D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b7e488998b0ed3ce2e28f4b12c5176dd
SHA1 5d84ba19365b576c268b34a9250a701d48194caf
SHA256 be6caac7b8dce03b216bea3c60755a7264d20b39d7ad70ec65ccbdbcd58d759c
SHA512 d9e73ab123a9d84f5bbd8772e5fb32dcd1e4e7deb3a75e6eb6bfccfc21da62e1e00e7aa68d637b99243c89c5b0f1967f3a547e237226fc30fe32dd0feed354a3

memory/2232-200-0x0000014143090000-0x00000141430D1000-memory.dmp

memory/840-195-0x00000000005C0000-0x0000000000E28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000067001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3fe76eaad0c68b711c5f7e2834d26b94
SHA1 83cfc72ecea86d3b1b1ea78ad7dc94657e77c661
SHA256 dcc8212a9a119e61d5a377a33f932249a65120f7c66059e7a544323086ff4349
SHA512 1aa5440ec78a61fe9d6a67d8dd6f9e964ba9fb2641d77880a5c5ece3d593c89c5f8d798fada322fd2df3db069125cd74e84647c4fd1150e4482f80d71619a856

memory/2232-196-0x00007FF6F9D40000-0x00007FF6FA752000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C20E.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

memory/1692-218-0x0000000072A40000-0x00000000731F0000-memory.dmp

memory/3192-221-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-219-0x00000000005C0000-0x0000000000E28000-memory.dmp

memory/4780-233-0x000002E3147F0000-0x000002E314884000-memory.dmp

memory/840-234-0x00000000005C0000-0x0000000000E28000-memory.dmp

memory/4780-240-0x000002E32EC80000-0x000002E32EC9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D103.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

C:\Users\Admin\AppData\Local\Temp\D103.exe

MD5 83ac976bad443e25d5c1e54092e348b7
SHA1 c4651e714532b6467052bec9d06a507ea0bfa8ad
SHA256 28ad206b8c48e0674b923e6a4077ca48ef1f385e7f741efd28b6445fe5cac39a
SHA512 1c79f107ea3d0036490251544d0538ad58a0d282cd6c3589b00ef9a5f6b68aea407dee55e03e8fbe8e73f7ed8eaee88167a27e4e8e6afd33016220f48af1035d

memory/840-215-0x00000000005C0000-0x0000000000E28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 71648c9384475421a3efe968c17a67ea
SHA1 d8f8411dc20c3ccb27e191ef2bff61a64565206e
SHA256 9d2812a12438a9ab07aabfc225ef3b8854ec7e25ceb51358a6a51306796209b8
SHA512 7192ce0ef01e09b8c26cda74613dbe39c7ac07ce77c6f7913930cf1abf017f909497ebd20d9434f7f289aafffbaaa7cc468ec9721665a21e4b62bdc6df3b5956

memory/840-206-0x00000000005C0000-0x0000000000E28000-memory.dmp

memory/840-243-0x00000000005C0000-0x0000000000E28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 638a0639009abacc1345991e517900ce
SHA1 2f399f5e544f26e473187f3dd5e54c282c03282f
SHA256 498a4355aa06a967fc8420c86ba64a0b30e618ae10449dc546bb8e1202d2e5af
SHA512 08280dd61dcc2368ec8f2b1da29766216d03d36693167489e5cf71dc83d18cdbd350a28f01c528619019811deb8da4d52bf2d6ffeaefdbf4b2996e88c1067eae

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 e539a97dfbe4cb5327bfeac2ed7bf956
SHA1 a28f350816b9f3d614786fdb243e25a8152ba32c
SHA256 64b5db0a653d836f51e113cc6a1ac10339344513166f4173a36e46f60ca305d3
SHA512 65050e60006b90d59af0c12fed1af85d5ba7257530407e93cec6a2f646217c2fddecfeaa06ec548576d950f8d04d43e8bedd0294f702d479835e8822daba13da

memory/4520-250-0x00000000006B0000-0x000000000080C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000068001\aafg31.exe

MD5 d27a1e32e78580ea15a4cf5119bc2907
SHA1 ffe9ae4c1622c95eca2eab429b99361d4d7a29fe
SHA256 fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5
SHA512 bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 c45be88c52d8e5a9eba0305704b70da7
SHA1 0c812b3dea0354c8910a86160f8bfbad0db500be
SHA256 7693bcd61547a355f170f4d72e5e83b3fcecf55acc4e0c7e5ea35a9de9e27fe8
SHA512 0eda652fdace6321331cc299b917a3315b132318668afb9bf5a68f97b5854edcafdf7ec166fc947fe67069c9b91e3b9fa95fcd712265279c3911e5d9dd637429

memory/4780-260-0x00007FFAB6180000-0x00007FFAB6C41000-memory.dmp

memory/2080-249-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/840-269-0x00000000005C0000-0x0000000000E28000-memory.dmp