Malware Analysis Report

2025-04-14 07:44

Sample ID 230912-22tlsafh6w
Target file.exe
SHA256 b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d
Tags
amadey djvu fabookie redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) lux3 smokiez_build backdoor discovery infostealer persistence ransomware spyware stealer trojan pub1 up3
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) lux3 smokiez_build backdoor discovery infostealer persistence ransomware spyware stealer trojan pub1 up3

Detect Fabookie payload

Detected Djvu ransomware

Vidar

Fabookie

Djvu Ransomware

RedLine

Amadey

SmokeLoader

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Deletes itself

Modifies file permissions

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-12 23:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-12 23:05

Reported

2023-09-12 23:07

Platform

win7-20230831-en

Max time kernel

83s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b456613d-b00f-4a35-84ef-33214b2ae6dc\\D49D.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D49D.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\D49D.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\D49D.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\D49D.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D682.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F203.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\D49D.exe
PID 1424 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\D49D.exe
PID 1424 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\D49D.exe
PID 1424 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\D49D.exe
PID 1424 wrote to memory of 2032 N/A N/A C:\Users\Admin\AppData\Local\Temp\D682.exe
PID 1424 wrote to memory of 2032 N/A N/A C:\Users\Admin\AppData\Local\Temp\D682.exe
PID 1424 wrote to memory of 2032 N/A N/A C:\Users\Admin\AppData\Local\Temp\D682.exe
PID 1424 wrote to memory of 2032 N/A N/A C:\Users\Admin\AppData\Local\Temp\D682.exe
PID 1424 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe
PID 1424 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe
PID 1424 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe
PID 1424 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe
PID 1424 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\D971.exe
PID 1424 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\D971.exe
PID 1424 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\D971.exe
PID 1424 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\D971.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2156 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\D971.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\D7AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1424 wrote to memory of 2896 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDBD.exe
PID 1424 wrote to memory of 2896 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDBD.exe
PID 1424 wrote to memory of 2896 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDBD.exe
PID 1424 wrote to memory of 2896 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDBD.exe
PID 1424 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFFF.exe
PID 1424 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFFF.exe
PID 1424 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFFF.exe
PID 1424 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFFF.exe
PID 1424 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\Temp\F203.exe
PID 1424 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\Temp\F203.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\D49D.exe

C:\Users\Admin\AppData\Local\Temp\D49D.exe

C:\Users\Admin\AppData\Local\Temp\D682.exe

C:\Users\Admin\AppData\Local\Temp\D682.exe

C:\Users\Admin\AppData\Local\Temp\D7AB.exe

C:\Users\Admin\AppData\Local\Temp\D7AB.exe

C:\Users\Admin\AppData\Local\Temp\D971.exe

C:\Users\Admin\AppData\Local\Temp\D971.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

C:\Users\Admin\AppData\Local\Temp\EFFF.exe

C:\Users\Admin\AppData\Local\Temp\EFFF.exe

C:\Users\Admin\AppData\Local\Temp\F203.exe

C:\Users\Admin\AppData\Local\Temp\F203.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\43C.exe

C:\Users\Admin\AppData\Local\Temp\43C.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\6FB.exe

C:\Users\Admin\AppData\Local\Temp\6FB.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9E9.dll

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9E9.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\D49D.exe

C:\Users\Admin\AppData\Local\Temp\D49D.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b456613d-b00f-4a35-84ef-33214b2ae6dc" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\D49D.exe

"C:\Users\Admin\AppData\Local\Temp\D49D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

C:\Users\Admin\AppData\Local\Temp\6FB.exe

C:\Users\Admin\AppData\Local\Temp\6FB.exe

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

"C:\Users\Admin\AppData\Local\Temp\EDBD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

"C:\Users\Admin\AppData\Local\Temp\EDBD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6FB.exe

"C:\Users\Admin\AppData\Local\Temp\6FB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D49D.exe

"C:\Users\Admin\AppData\Local\Temp\D49D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build2.exe

"C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build2.exe"

C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build2.exe

"C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build2.exe"

C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build3.exe

"C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build2.exe

"C:\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build2.exe"

C:\Users\Admin\AppData\Local\Temp\6FB.exe

"C:\Users\Admin\AppData\Local\Temp\6FB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build3.exe

"C:\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build3.exe"

C:\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build2.exe

"C:\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {1CCB180F-1850-4A6F-9E6B-5A4178A86890} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 14.33.209.147:80 colisumy.com tcp
NL 194.169.175.232:80 194.169.175.232 tcp
KR 14.33.209.147:80 colisumy.com tcp
US 38.181.25.43:3325 tcp
GB 51.38.95.107:42494 tcp
NL 194.169.175.232:45450 tcp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 login-sofi.4dq.com udp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
MD 176.123.9.142:14845 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.80:80 apps.identrust.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:45450 tcp
US 95.214.27.254:80 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 14.33.209.147:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 211.171.233.126:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 211.171.233.126:80 zexeq.com tcp
KR 14.33.209.147:80 colisumy.com tcp
KR 211.171.233.126:80 zexeq.com tcp
US 95.214.27.254:80 tcp
US 95.214.27.254:80 tcp

Files

memory/1728-0-0x00000000003D0000-0x00000000003E5000-memory.dmp

memory/1728-1-0x00000000003B0000-0x00000000003B9000-memory.dmp

memory/1728-2-0x0000000000400000-0x0000000002083000-memory.dmp

memory/1424-3-0x00000000026B0000-0x00000000026C6000-memory.dmp

memory/1728-4-0x0000000000400000-0x0000000002083000-memory.dmp

memory/1728-7-0x00000000003B0000-0x00000000003B9000-memory.dmp

memory/1728-8-0x00000000003D0000-0x00000000003E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\D682.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

C:\Users\Admin\AppData\Local\Temp\D682.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

C:\Users\Admin\AppData\Local\Temp\D7AB.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

memory/2032-28-0x0000000000230000-0x0000000000260000-memory.dmp

memory/2032-29-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D971.exe

MD5 7980cd6aa2f009db138977c965cd2c1e
SHA1 dbd57e3756c356abd5723ed000503a38518722d8
SHA256 b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4
SHA512 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5

C:\Users\Admin\AppData\Local\Temp\D682.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

memory/2032-38-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2032-39-0x00000000006E0000-0x00000000006E6000-memory.dmp

memory/2032-40-0x0000000004900000-0x0000000004940000-memory.dmp

memory/2560-41-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2560-42-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2780-47-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2560-48-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2560-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2780-45-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2780-49-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2560-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2560-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2780-53-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2560-54-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2560-58-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2780-57-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2780-60-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2780-61-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2560-62-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2560-63-0x0000000000330000-0x0000000000336000-memory.dmp

memory/2780-64-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2780-67-0x0000000000AD0000-0x0000000000B10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\EFFF.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

C:\Users\Admin\AppData\Local\Temp\EFFF.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

C:\Users\Admin\AppData\Local\Temp\F203.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

C:\Users\Admin\AppData\Local\Temp\F203.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

memory/2552-83-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2552-82-0x0000000000230000-0x0000000000260000-memory.dmp

memory/2032-87-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2552-89-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2552-88-0x0000000000500000-0x0000000000506000-memory.dmp

memory/2552-95-0x00000000045A0000-0x00000000045E0000-memory.dmp

memory/2032-96-0x0000000004900000-0x0000000004940000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\43C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2780-107-0x0000000074480000-0x0000000074B6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\6FB.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

C:\Users\Admin\AppData\Local\Temp\6FB.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/2560-117-0x0000000074480000-0x0000000074B6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9E9.dll

MD5 ec58238fb3adab49461bce7d58730eca
SHA1 c71c577fb65a59f58d61d4cc05232431e020ed6d
SHA256 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf
SHA512 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9

\Users\Admin\AppData\Local\Temp\9E9.dll

MD5 ec58238fb3adab49461bce7d58730eca
SHA1 c71c577fb65a59f58d61d4cc05232431e020ed6d
SHA256 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf
SHA512 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9

memory/832-120-0x0000000010000000-0x000000001021E000-memory.dmp

memory/2560-121-0x0000000000370000-0x00000000003B0000-memory.dmp

memory/832-123-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2780-124-0x0000000000AD0000-0x0000000000B10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2552-126-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2552-127-0x00000000045A0000-0x00000000045E0000-memory.dmp

memory/832-129-0x00000000021A0000-0x00000000022A2000-memory.dmp

memory/832-130-0x00000000022B0000-0x000000000239A000-memory.dmp

memory/832-131-0x00000000022B0000-0x000000000239A000-memory.dmp

memory/832-133-0x00000000022B0000-0x000000000239A000-memory.dmp

memory/832-134-0x00000000022B0000-0x000000000239A000-memory.dmp

memory/2780-135-0x0000000074480000-0x0000000074B6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\Temp\Cab50F0.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/1772-167-0x00000000FFA10000-0x00000000FFA48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar523A.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b999721e5c57efc53f917a070e203f31
SHA1 9d4bdab0e786ba68c9a3a5e49e827633769302e6
SHA256 c5dd6a490ece8358c3ab13e5644075fdd4c23157e8f93dca1f2b2bdfdfcd61e7
SHA512 b76e3931dc039ccb1bbc7db5df7663d3f8e194202fedc5af3b32aa6857395fbf29fedbd8c604592e943585e2d40392e3f3031c619737cc30d0bb92d782c47a19

memory/2560-211-0x0000000074480000-0x0000000074B6E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26b9820357e0981592804feae663c372
SHA1 fc2c4264a4674ddd15efca9c25af9f667d439cd5
SHA256 8a61ea9fb5cf92c8f1563c8d66b1f1fa3fe0655db98c08584f67df9ce6e9bbbb
SHA512 f59494811d0f2064c4a9de5665578007bc6ba423f78c60c59a70618e0fb6795da16bce1a8f52c447ab3a2bd9e733f39bed03fa7b3a5d5b5b774dacaa4cd83bb5

memory/2552-221-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2032-248-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/1772-251-0x0000000002F80000-0x00000000030F1000-memory.dmp

memory/1772-252-0x0000000003100000-0x0000000003231000-memory.dmp

memory/2596-255-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/2596-256-0x0000000002300000-0x000000000241B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/2972-259-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/2972-261-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/2972-264-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1772-265-0x0000000003100000-0x0000000003231000-memory.dmp

memory/2972-266-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34d2b427dc3012f5741d55ed2ff93543
SHA1 7157499120b5e22a75defac4d31902e0e6cca27f
SHA256 44d33e69aab8f61ec7a2e3f6be3c94e349007d61a134d0bc917b94d3009c938f
SHA512 247fc6429d061f9f56d10aca887bb8d4db82e05aea1fe81b141ea6f9f4c2947cb2e3987b99c8cec343080cd636ea92a5e6b71f17e6c2bbce1fa60180971d95ea

C:\Users\Admin\AppData\Local\b456613d-b00f-4a35-84ef-33214b2ae6dc\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/1292-306-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1292-308-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/1292-312-0x00000000731D0000-0x00000000738BE000-memory.dmp

memory/2972-313-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-314-0x0000000000AB0000-0x0000000000AF0000-memory.dmp

memory/2896-316-0x0000000000240000-0x00000000002D2000-memory.dmp

\Users\Admin\AppData\Local\Temp\EDBD.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

\Users\Admin\AppData\Local\Temp\6FB.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

C:\Users\Admin\AppData\Local\Temp\6FB.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/2188-327-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2188-329-0x00000000024D0000-0x00000000025EB000-memory.dmp

memory/2824-331-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6FB.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/1292-335-0x00000000731D0000-0x00000000738BE000-memory.dmp

memory/1796-337-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 2d8541ea8d19be4c8e54418ea14b7738
SHA1 64df9e177bb210d90d8e03f87ef6e20c054645b3
SHA256 363fc19f729a1a24299372fce30147a0e3e17f47f19645f482690e38689ea8f7
SHA512 943cc9c87b989a3ea9c33ae0c9801be61637b38fd45f09ef59029d89b92eef660d52e999597b2618844fd1da55e1987c88bb5f9d25203d44312bfe90d25b221a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf7985875c6c17a4ae39ebad40eb04db
SHA1 5d157b9dd7e91b322cbdad450e1d372f4c8f22bb
SHA256 3a4669e4648391499cd95c46d12be7d776a840b2174c048457c6a1b8e3e199bd
SHA512 11db20909260908a77eecdc9b3c2c4e37a606084b657d81572bbbb040f4647b679102d545e057575e4697c9ed5af433e082a9513c7be089dcf8dd99b2bc48763

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 8fe859be8b11c04f840d46e998f9d46c
SHA1 fee2b566e8b4860f5b255b0db23593cc228ba4a1
SHA256 0f50f0093724f0fc21a3bd34b337097ea6bddc83af173030238eb9bd1adb5bc7
SHA512 6f03483ed9b7e0a820c197962512d9ff21e4d26474b94c11cd6e4ccf7a3d603433624ca26d25d5939c2dbd98483b77b4ca2c5efc8ce7f02d68cbfcf380062f25

\Users\Admin\AppData\Local\Temp\EDBD.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

\Users\Admin\AppData\Local\Temp\EDBD.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

\Users\Admin\AppData\Local\Temp\EDBD.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/2824-359-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-358-0x0000000000AB0000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDBD.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/2516-375-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\6FB.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

\Users\Admin\AppData\Local\Temp\6FB.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

C:\Users\Admin\AppData\Local\Temp\6FB.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/1796-390-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1292-400-0x00000000731D0000-0x00000000738BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\D49D.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/2644-408-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04G0TJCH\geo[1].json

MD5 bb0b9f3551beed05c0ec34888817116f
SHA1 50cf2363621131813cc8e0553cb71873e50ad562
SHA256 f2e9fd3ce2e4afaeb2f2d7555fcc0864ebbe05a56e1ca802b06d32020b556de8
SHA512 0b0bf92deef58a1ccfadd19c612be5a8a8b6fda0835612fb61ccaeaf41ca22464a44fb4338441b236dd0d6f5ff097ee5475e4670305af43b35ed4ee2d5a44492

\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/836-436-0x0000000002320000-0x0000000002371000-memory.dmp

memory/836-433-0x0000000000230000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04G0TJCH\build3[1].exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\Temp\6FB.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

C:\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\a04192c2-909e-43c9-85a7-4af38fe0e082\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 fd6fd7111bf7a89890ae55830e151166
SHA1 4ececff98c7b4d3603f102e9e4783605e5d43a76
SHA256 3c4e107d0f9affe7e9ec0c331f6edde2736084f80294a8bf0151be9bfefbd56b
SHA512 58ecba98d288b4c437e9ffe1c24063ddb067357c7a5b5ee5a03c6ddba55d03681137bd5c083d30388c1e1d3f2e8ebee541558b50f927835d89419b1682efda4d

C:\SystemID\PersonalID.txt

MD5 edea70af63654c8ba57a9d59e1525734
SHA1 ed22b7b9c45a1e8a4df769a0c6f6e626373c640c
SHA256 5fac3f86ebd9436d74331c7951f44f8626d66dca56e1114b5dbc7fabba04057b
SHA512 387561eeb34d598fee5af4f4700160b17adcffb5da43fb84bd053a4306f4aba03b7910d0c59feada7a4a60a8901c4b26650f4bf07481164cfdbd6892acec6453

\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

\Users\Admin\AppData\Local\bcc50b5b-657e-4158-87e8-d720ea41525b\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/1960-484-0x00000000023A0000-0x00000000024A0000-memory.dmp

memory/2516-486-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2644-505-0x0000000000400000-0x0000000000537000-memory.dmp

memory/836-506-0x0000000000230000-0x0000000000330000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-12 23:05

Reported

2023-09-12 23:07

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1E4A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1387.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F462.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2168.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F462.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5FA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F462.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1387.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\154D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1696.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\187C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B0D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E4A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1387.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1387.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F462.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1387.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F462.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bdf10657-c714-4488-af33-65c59104b804\\F462.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F462.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\187C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\187C.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\187C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\187C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1696.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F5FA.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 3172 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 3172 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 3172 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5FA.exe
PID 3172 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5FA.exe
PID 3172 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5FA.exe
PID 3172 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\F743.exe
PID 3172 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\F743.exe
PID 3172 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\F743.exe
PID 3172 wrote to memory of 3200 N/A N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe
PID 3172 wrote to memory of 3200 N/A N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe
PID 3172 wrote to memory of 3200 N/A N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe
PID 2912 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\F743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2912 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\F743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2912 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\F743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2912 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\F743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2912 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\F743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2912 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\F743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2912 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\F743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2912 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\F743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\F83E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 2372 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Users\Admin\AppData\Local\Temp\F462.exe
PID 3172 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\Temp\1387.exe
PID 3172 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\Temp\1387.exe
PID 3172 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\Temp\1387.exe
PID 3172 wrote to memory of 3012 N/A N/A C:\Users\Admin\AppData\Local\Temp\154D.exe
PID 3172 wrote to memory of 3012 N/A N/A C:\Users\Admin\AppData\Local\Temp\154D.exe
PID 3172 wrote to memory of 3012 N/A N/A C:\Users\Admin\AppData\Local\Temp\154D.exe
PID 3172 wrote to memory of 3660 N/A N/A C:\Users\Admin\AppData\Local\Temp\1696.exe
PID 3172 wrote to memory of 3660 N/A N/A C:\Users\Admin\AppData\Local\Temp\1696.exe
PID 3172 wrote to memory of 3660 N/A N/A C:\Users\Admin\AppData\Local\Temp\1696.exe
PID 3172 wrote to memory of 3284 N/A N/A C:\Users\Admin\AppData\Local\Temp\187C.exe
PID 3172 wrote to memory of 3284 N/A N/A C:\Users\Admin\AppData\Local\Temp\187C.exe
PID 3172 wrote to memory of 3284 N/A N/A C:\Users\Admin\AppData\Local\Temp\187C.exe
PID 1896 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Windows\SysWOW64\icacls.exe
PID 1896 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Windows\SysWOW64\icacls.exe
PID 1896 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\F462.exe C:\Windows\SysWOW64\icacls.exe
PID 3172 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B0D.exe
PID 3172 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B0D.exe
PID 3172 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B0D.exe
PID 3172 wrote to memory of 932 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E4A.exe
PID 3172 wrote to memory of 932 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E4A.exe
PID 3172 wrote to memory of 932 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E4A.exe
PID 3172 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\2168.exe
PID 3172 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\2168.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\F462.exe

C:\Users\Admin\AppData\Local\Temp\F462.exe

C:\Users\Admin\AppData\Local\Temp\F5FA.exe

C:\Users\Admin\AppData\Local\Temp\F5FA.exe

C:\Users\Admin\AppData\Local\Temp\F743.exe

C:\Users\Admin\AppData\Local\Temp\F743.exe

C:\Users\Admin\AppData\Local\Temp\F83E.exe

C:\Users\Admin\AppData\Local\Temp\F83E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\F462.exe

C:\Users\Admin\AppData\Local\Temp\F462.exe

C:\Users\Admin\AppData\Local\Temp\1387.exe

C:\Users\Admin\AppData\Local\Temp\1387.exe

C:\Users\Admin\AppData\Local\Temp\154D.exe

C:\Users\Admin\AppData\Local\Temp\154D.exe

C:\Users\Admin\AppData\Local\Temp\1696.exe

C:\Users\Admin\AppData\Local\Temp\1696.exe

C:\Users\Admin\AppData\Local\Temp\187C.exe

C:\Users\Admin\AppData\Local\Temp\187C.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\bdf10657-c714-4488-af33-65c59104b804" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1B0D.exe

C:\Users\Admin\AppData\Local\Temp\1B0D.exe

C:\Users\Admin\AppData\Local\Temp\1E4A.exe

C:\Users\Admin\AppData\Local\Temp\1E4A.exe

C:\Users\Admin\AppData\Local\Temp\2168.exe

C:\Users\Admin\AppData\Local\Temp\2168.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2532.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2532.dll

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\1387.exe

C:\Users\Admin\AppData\Local\Temp\1387.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2752 -ip 2752

C:\Users\Admin\AppData\Local\Temp\1387.exe

"C:\Users\Admin\AppData\Local\Temp\1387.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 340

C:\Users\Admin\AppData\Local\Temp\2168.exe

C:\Users\Admin\AppData\Local\Temp\2168.exe

C:\Users\Admin\AppData\Local\Temp\2168.exe

"C:\Users\Admin\AppData\Local\Temp\2168.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F462.exe

"C:\Users\Admin\AppData\Local\Temp\F462.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\1387.exe

"C:\Users\Admin\AppData\Local\Temp\1387.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1160 -ip 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 568

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\2168.exe

"C:\Users\Admin\AppData\Local\Temp\2168.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 208 -ip 208

C:\Users\Admin\AppData\Local\Temp\F462.exe

"C:\Users\Admin\AppData\Local\Temp\F462.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4320 -ip 4320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 568

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
AR 190.224.203.37:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
AR 190.224.203.37:80 colisumy.com tcp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
NL 194.169.175.232:45450 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 login-sofi.4dq.com udp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 147.249.79.45.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
NL 194.169.175.232:45450 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 95.214.27.254:80 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 gudintas.at udp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
US 8.8.8.8:53 15.109.126.175.in-addr.arpa udp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
US 95.214.27.254:80 tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
KR 175.126.109.15:80 gudintas.at tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp

Files

memory/4840-0-0x00000000021F0000-0x0000000002205000-memory.dmp

memory/4840-1-0x0000000002210000-0x0000000002219000-memory.dmp

memory/4840-2-0x0000000000400000-0x0000000002083000-memory.dmp

memory/3172-3-0x0000000002460000-0x0000000002476000-memory.dmp

memory/4840-4-0x0000000000400000-0x0000000002083000-memory.dmp

memory/4840-7-0x00000000021F0000-0x0000000002205000-memory.dmp

memory/4840-8-0x0000000002210000-0x0000000002219000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F462.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\F462.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\F5FA.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

C:\Users\Admin\AppData\Local\Temp\F5FA.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

C:\Users\Admin\AppData\Local\Temp\F743.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

memory/4176-23-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4176-24-0x0000000002070000-0x00000000020A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F743.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

C:\Users\Admin\AppData\Local\Temp\F83E.exe

MD5 7980cd6aa2f009db138977c965cd2c1e
SHA1 dbd57e3756c356abd5723ed000503a38518722d8
SHA256 b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4
SHA512 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5

memory/4176-32-0x00000000751A0000-0x0000000075950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F83E.exe

MD5 7980cd6aa2f009db138977c965cd2c1e
SHA1 dbd57e3756c356abd5723ed000503a38518722d8
SHA256 b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4
SHA512 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5

memory/4176-34-0x0000000004AA0000-0x00000000050B8000-memory.dmp

memory/4176-35-0x0000000005100000-0x000000000520A000-memory.dmp

memory/4176-36-0x0000000005240000-0x0000000005252000-memory.dmp

memory/4176-37-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4176-38-0x0000000005260000-0x000000000529C000-memory.dmp

memory/952-39-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2512-40-0x0000000000400000-0x0000000000430000-memory.dmp

memory/952-41-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/2512-42-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/952-43-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/2372-44-0x0000000003DE0000-0x0000000003E72000-memory.dmp

memory/2372-45-0x0000000003E80000-0x0000000003F9B000-memory.dmp

memory/4176-46-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/1896-47-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F462.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/1896-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1896-50-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1387.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

C:\Users\Admin\AppData\Local\Temp\1387.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/4176-55-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/1896-56-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\154D.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

C:\Users\Admin\AppData\Local\Temp\154D.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

C:\Users\Admin\AppData\Local\Temp\1696.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

C:\Users\Admin\AppData\Local\Temp\1696.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

C:\Users\Admin\AppData\Local\Temp\187C.exe

MD5 592cc02a73201ffcf1249aad2381f4b5
SHA1 9e9093040fd116ac4acd8aac7948d150ee50b9b1
SHA256 2267b81e7e2bc9e00fe6497b2a9953cef4ed0b113e8308dd4ff4066b9e2637dd
SHA512 02ab4c4bd086004f8aa15e7042520703d71454069ae6f0a5a6b977f136aee74f69799a4b74b281a9d08eec038bf72786cd7e35164950fc8d387cc5f133c0aaad

memory/4176-75-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/3660-80-0x0000000000590000-0x00000000005C0000-memory.dmp

memory/4176-83-0x0000000005BD0000-0x0000000006174000-memory.dmp

memory/3660-85-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B0D.exe

MD5 592cc02a73201ffcf1249aad2381f4b5
SHA1 9e9093040fd116ac4acd8aac7948d150ee50b9b1
SHA256 2267b81e7e2bc9e00fe6497b2a9953cef4ed0b113e8308dd4ff4066b9e2637dd
SHA512 02ab4c4bd086004f8aa15e7042520703d71454069ae6f0a5a6b977f136aee74f69799a4b74b281a9d08eec038bf72786cd7e35164950fc8d387cc5f133c0aaad

C:\Users\Admin\AppData\Local\Temp\1B0D.exe

MD5 592cc02a73201ffcf1249aad2381f4b5
SHA1 9e9093040fd116ac4acd8aac7948d150ee50b9b1
SHA256 2267b81e7e2bc9e00fe6497b2a9953cef4ed0b113e8308dd4ff4066b9e2637dd
SHA512 02ab4c4bd086004f8aa15e7042520703d71454069ae6f0a5a6b977f136aee74f69799a4b74b281a9d08eec038bf72786cd7e35164950fc8d387cc5f133c0aaad

memory/4176-91-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/952-82-0x00000000751A0000-0x0000000075950000-memory.dmp

C:\Users\Admin\AppData\Local\bdf10657-c714-4488-af33-65c59104b804\F462.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/4176-78-0x00000000054C0000-0x0000000005552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\187C.exe

MD5 592cc02a73201ffcf1249aad2381f4b5
SHA1 9e9093040fd116ac4acd8aac7948d150ee50b9b1
SHA256 2267b81e7e2bc9e00fe6497b2a9953cef4ed0b113e8308dd4ff4066b9e2637dd
SHA512 02ab4c4bd086004f8aa15e7042520703d71454069ae6f0a5a6b977f136aee74f69799a4b74b281a9d08eec038bf72786cd7e35164950fc8d387cc5f133c0aaad

memory/3660-92-0x00000000751A0000-0x0000000075950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E4A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\1E4A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2512-101-0x00000000751A0000-0x0000000075950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2168.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2168.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/3660-104-0x0000000002350000-0x0000000002360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2532.dll

MD5 ec58238fb3adab49461bce7d58730eca
SHA1 c71c577fb65a59f58d61d4cc05232431e020ed6d
SHA256 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf
SHA512 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9

memory/952-115-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/2800-116-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/4456-118-0x0000000010000000-0x000000001021E000-memory.dmp

memory/4456-119-0x0000000001390000-0x0000000001396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2532.dll

MD5 ec58238fb3adab49461bce7d58730eca
SHA1 c71c577fb65a59f58d61d4cc05232431e020ed6d
SHA256 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf
SHA512 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9

memory/2512-121-0x0000000006010000-0x0000000006060000-memory.dmp

memory/2800-122-0x00000000027B0000-0x00000000027C0000-memory.dmp

memory/1896-123-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/2512-130-0x0000000008960000-0x0000000008B22000-memory.dmp

memory/2512-131-0x0000000009060000-0x000000000958C000-memory.dmp

memory/4156-139-0x00007FF78EE00000-0x00007FF78EE38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/3660-140-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/3660-141-0x0000000002350000-0x0000000002360000-memory.dmp

memory/2460-145-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2460-144-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1387.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/2460-146-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\bdf10657-c714-4488-af33-65c59104b804\F462.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/952-156-0x00000000751A0000-0x0000000075950000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 dd3cefa6ddaa9e4f752bf653e3805342
SHA1 5a10277e4feb6e9e33ea28b932f92d5692b1c0fc
SHA256 196e08defd4df41b8673a62307892357b5f51e6bd0129bb49d02e07ad3fd1e3c
SHA512 a9058f266afacda18f98b145796fa1d65e02c98824de9ee385143936af7d1817d3621ec8a46fc5aa6582fbdfd966ff70231947786f27f0245cd498940a942615

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 58808881b148af7c7acaf64252b9fb98
SHA1 153fae34a9f389973844daae1915634d7e0fc8b4
SHA256 b2eeaeb9a761cc1f6f5de793d8d283136344771a69b104107ce3fc852a234860
SHA512 bbd9f664300c2225854dc0bd3ef7439cdb687b79e992ea27b7a1c7e51e49b4468922ab37dbad60d3e3afdbbf4c7432e97f93b20fa3683fb85575bc0146ef989e

memory/3284-159-0x0000000003B50000-0x0000000003B65000-memory.dmp

memory/2800-158-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/3284-162-0x0000000003BB0000-0x0000000003BB9000-memory.dmp

memory/2752-166-0x0000000000400000-0x0000000002083000-memory.dmp

memory/3284-168-0x0000000000400000-0x0000000002083000-memory.dmp

memory/4456-167-0x0000000002F50000-0x0000000003052000-memory.dmp

memory/2460-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/836-175-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1144-172-0x00000000041C0000-0x00000000042DB000-memory.dmp

memory/1144-174-0x0000000002620000-0x00000000026B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 6bb82e63cdf8de9d79154002b8987663
SHA1 45a4870c3dbff09b9ea31d4ab2909e6ee86908a7
SHA256 57261cbea6f3d4a3755ec9cc56fa0adadb77b159fc7103c9e80e34d4d443b51e
SHA512 c55ffb0c9dca0c2e35e31f382089c7221cc518b6931df5b321cfa11a2a9923e8ea7560312cecfee532a912d2d2fcd02db620a2dc4d41e5094b0e14dfc6b51a05

C:\Users\Admin\AppData\Local\Temp\1387.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/836-179-0x0000000000400000-0x0000000000537000-memory.dmp

memory/836-178-0x0000000000400000-0x0000000000537000-memory.dmp

memory/836-180-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2168.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/2512-176-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/4156-184-0x0000000002D20000-0x0000000002E91000-memory.dmp

memory/4156-185-0x0000000002EA0000-0x0000000002FD1000-memory.dmp

memory/4456-183-0x0000000003060000-0x000000000314A000-memory.dmp

memory/4456-186-0x0000000003060000-0x000000000314A000-memory.dmp

memory/4456-188-0x0000000003060000-0x000000000314A000-memory.dmp

memory/2752-189-0x0000000000400000-0x0000000002083000-memory.dmp

memory/1896-194-0x0000000000400000-0x0000000000537000-memory.dmp

memory/836-195-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F462.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/1896-198-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2168.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/4456-203-0x0000000003060000-0x000000000314A000-memory.dmp

memory/3172-201-0x0000000003DA0000-0x0000000003DB6000-memory.dmp

memory/3284-207-0x0000000000400000-0x0000000002083000-memory.dmp

memory/3660-211-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/4176-214-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/2800-215-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/4156-216-0x0000000002EA0000-0x0000000002FD1000-memory.dmp

memory/1160-219-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1387.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/1160-220-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1160-222-0x0000000000400000-0x0000000000537000-memory.dmp

memory/324-223-0x0000000003FE0000-0x0000000004072000-memory.dmp

memory/208-226-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2168.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/208-227-0x0000000000400000-0x0000000000537000-memory.dmp

memory/208-229-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F462.exe

MD5 14eb924173d295a95b143f409fd3bfcc
SHA1 9d38386e2045187ad56c0f2e293f64118033d61f
SHA256 297a0c16c26a8522cb1c1f4c5002ac6b4104152f929361c7ecdefd44086f796d
SHA512 ee098b8c8e92a5719d1a80b8e799a0fa983eebaa0ad31261493927b9efabae9abc7ca13ae6c044f23938fbf09f31db7bb676f2168594376d5fcd71401b14bb0e

memory/4320-234-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\usdtugh

MD5 592cc02a73201ffcf1249aad2381f4b5
SHA1 9e9093040fd116ac4acd8aac7948d150ee50b9b1
SHA256 2267b81e7e2bc9e00fe6497b2a9953cef4ed0b113e8308dd4ff4066b9e2637dd
SHA512 02ab4c4bd086004f8aa15e7042520703d71454069ae6f0a5a6b977f136aee74f69799a4b74b281a9d08eec038bf72786cd7e35164950fc8d387cc5f133c0aaad

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

memory/4480-258-0x0000000002190000-0x00000000021A5000-memory.dmp

memory/4480-259-0x0000000002300000-0x0000000002309000-memory.dmp

memory/1472-263-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1472-262-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

memory/4480-264-0x0000000002190000-0x00000000021A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1472-271-0x0000000000400000-0x0000000000409000-memory.dmp