Malware Analysis Report

2025-04-14 07:21

Sample ID 230912-j9q7hseg78
Target dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc
SHA256 dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) smokiez_build backdoor discovery infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc

Threat Level: Known bad

The file dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) smokiez_build backdoor discovery infostealer ransomware trojan

Detected Djvu ransomware

Amadey

Djvu Ransomware

RedLine

SmokeLoader

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Deletes itself

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-12 08:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-12 08:22

Reported

2023-09-12 08:24

Platform

win10-20230831-en

Max time kernel

68s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\8827.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\85C5.exe
PID 3292 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\85C5.exe
PID 3292 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\85C5.exe
PID 3292 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\8827.exe
PID 3292 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\8827.exe
PID 3292 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\8827.exe
PID 3292 wrote to memory of 312 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe
PID 3292 wrote to memory of 312 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe
PID 3292 wrote to memory of 312 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe
PID 3292 wrote to memory of 220 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe
PID 3292 wrote to memory of 220 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe
PID 3292 wrote to memory of 220 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe
PID 3292 wrote to memory of 4028 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe
PID 3292 wrote to memory of 4028 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe
PID 3292 wrote to memory of 4028 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe
PID 3292 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\Temp\94BE.exe
PID 3292 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\Temp\94BE.exe
PID 3292 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\Temp\94BE.exe
PID 312 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 312 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 312 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 312 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 312 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 312 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 312 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 312 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2348 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\94BE.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2348 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\94BE.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2348 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\94BE.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 220 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 220 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 220 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 220 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 220 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 220 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 220 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 220 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\8B85.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4624 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4624 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4624 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4624 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\8CCE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5100 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5100 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5100 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5100 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5100 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5100 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5100 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc.exe

"C:\Users\Admin\AppData\Local\Temp\dc84c3e216f40f7a1b12e7dfcdb26b91c3573e42c13ead91b8cd149915d4a3cc.exe"

C:\Users\Admin\AppData\Local\Temp\85C5.exe

C:\Users\Admin\AppData\Local\Temp\85C5.exe

C:\Users\Admin\AppData\Local\Temp\8827.exe

C:\Users\Admin\AppData\Local\Temp\8827.exe

C:\Users\Admin\AppData\Local\Temp\8A2C.exe

C:\Users\Admin\AppData\Local\Temp\8A2C.exe

C:\Users\Admin\AppData\Local\Temp\8B85.exe

C:\Users\Admin\AppData\Local\Temp\8B85.exe

C:\Users\Admin\AppData\Local\Temp\8CCE.exe

C:\Users\Admin\AppData\Local\Temp\8CCE.exe

C:\Users\Admin\AppData\Local\Temp\94BE.exe

C:\Users\Admin\AppData\Local\Temp\94BE.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\BD27.exe

C:\Users\Admin\AppData\Local\Temp\BD27.exe

C:\Users\Admin\AppData\Local\Temp\C016.exe

C:\Users\Admin\AppData\Local\Temp\C016.exe

C:\Users\Admin\AppData\Local\Temp\C363.exe

C:\Users\Admin\AppData\Local\Temp\C363.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C930.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C930.dll

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

C:\Users\Admin\AppData\Local\Temp\DAA7.exe

C:\Users\Admin\AppData\Local\Temp\DAA7.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

C:\Users\Admin\AppData\Local\Temp\F813.exe

C:\Users\Admin\AppData\Local\Temp\F813.exe

C:\Users\Admin\AppData\Local\Temp\3DC.exe

C:\Users\Admin\AppData\Local\Temp\3DC.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\13AC.exe

C:\Users\Admin\AppData\Local\Temp\13AC.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2de59f87-ba77-4f53-86fb-35292223a8f4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\236C.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\236C.dll

C:\Users\Admin\AppData\Local\Temp\2ACF.exe

C:\Users\Admin\AppData\Local\Temp\2ACF.exe

C:\Users\Admin\AppData\Local\Temp\3466.exe

C:\Users\Admin\AppData\Local\Temp\3466.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\49B4.exe

C:\Users\Admin\AppData\Local\Temp\49B4.exe

C:\Users\Admin\AppData\Local\Temp\2ACF.exe

C:\Users\Admin\AppData\Local\Temp\2ACF.exe

C:\Users\Admin\AppData\Local\Temp\5D3D.exe

C:\Users\Admin\AppData\Local\Temp\5D3D.exe

C:\Users\Admin\AppData\Local\Temp\6F4F.exe

C:\Users\Admin\AppData\Local\Temp\6F4F.exe

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

"C:\Users\Admin\AppData\Local\Temp\CF8A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8299.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1332

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8299.dll

C:\Users\Admin\AppData\Local\Temp\90A4.exe

C:\Users\Admin\AppData\Local\Temp\90A4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\90A4.exe

C:\Users\Admin\AppData\Local\Temp\90A4.exe

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

"C:\Users\Admin\AppData\Local\Temp\CF8A.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MX 201.124.224.61:80 colisumy.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 61.224.124.201.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
MX 201.124.224.61:80 colisumy.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
GB 51.38.95.107:42494 tcp
NL 194.169.175.232:45450 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
MX 201.124.224.61:80 colisumy.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:45450 tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
MX 201.124.224.61:80 colisumy.com tcp
BG 193.42.32.101:80 193.42.32.101 tcp
NL 194.169.175.232:45450 tcp
NL 194.169.175.232:80 194.169.175.232 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
NL 194.169.175.232:45450 tcp

Files

memory/4008-0-0x0000000002580000-0x0000000002595000-memory.dmp

memory/4008-1-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/4008-2-0x0000000000400000-0x0000000002450000-memory.dmp

memory/3292-3-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

memory/4008-4-0x0000000000400000-0x0000000002450000-memory.dmp

memory/4008-8-0x0000000002580000-0x0000000002595000-memory.dmp

memory/4008-7-0x00000000001C0000-0x00000000001C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85C5.exe

MD5 7f212f098d1ae9595273ac3aa14ad852
SHA1 9c4dadb4549601e93ce0cd05aa9035078e65eac4
SHA256 162be0ff62f038ac36c382f57b34446de121af0f2a4f75b8a8e5bc22bc5efd3e
SHA512 ff14a49dcd2d80c0ae3a91952788bf4d9a523dff2e746799c1a98013dcb1365cbe52b5b8aa8d2da447cea0b671b01f4804d6dbb00820dbab24c88a47377dbc0d

C:\Users\Admin\AppData\Local\Temp\85C5.exe

MD5 7f212f098d1ae9595273ac3aa14ad852
SHA1 9c4dadb4549601e93ce0cd05aa9035078e65eac4
SHA256 162be0ff62f038ac36c382f57b34446de121af0f2a4f75b8a8e5bc22bc5efd3e
SHA512 ff14a49dcd2d80c0ae3a91952788bf4d9a523dff2e746799c1a98013dcb1365cbe52b5b8aa8d2da447cea0b671b01f4804d6dbb00820dbab24c88a47377dbc0d

C:\Users\Admin\AppData\Local\Temp\8827.exe

MD5 321e049c709b640d01d892d886cf5fcd
SHA1 5e8bfc6f825f00e29bd591a614a2e9461d095c83
SHA256 7ce4e7db96a2b540fb0e282fccb55cf5ecf0a48ba1f996a5179654a5f4c1e849
SHA512 24a884f1174fc8105df311258b30108e03b166ce38907f70b47b82f7e575c5d6bdfb5dfb6999de0b95786bbd8ddeee4efc42ff612a3c5c2c55a82e98b74dabcf

C:\Users\Admin\AppData\Local\Temp\8827.exe

MD5 321e049c709b640d01d892d886cf5fcd
SHA1 5e8bfc6f825f00e29bd591a614a2e9461d095c83
SHA256 7ce4e7db96a2b540fb0e282fccb55cf5ecf0a48ba1f996a5179654a5f4c1e849
SHA512 24a884f1174fc8105df311258b30108e03b166ce38907f70b47b82f7e575c5d6bdfb5dfb6999de0b95786bbd8ddeee4efc42ff612a3c5c2c55a82e98b74dabcf

memory/3180-20-0x0000000073E80000-0x000000007456E000-memory.dmp

memory/3180-21-0x0000000000D70000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A2C.exe

MD5 f238f8437d91dfbf70e13f426af0ada3
SHA1 0aee50c31a74e4ad0f5fb09b177e2cbf30adb4b8
SHA256 ee5fef012c34194a87f1f3952518b4068e2ff4ccd8d270671eb11965956d33e6
SHA512 0d2210bbb85cb1d6c0e60667deac4c10745e9a9ea7bb90121d01683b8ed6bfcc5d6c0457924afe2768dcbe6d8373a9fd8871aebec074f61741f6a3f1aa045b13

memory/3180-28-0x0000000005C10000-0x000000000610E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B85.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

memory/3180-30-0x00000000057B0000-0x0000000005842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A2C.exe

MD5 f238f8437d91dfbf70e13f426af0ada3
SHA1 0aee50c31a74e4ad0f5fb09b177e2cbf30adb4b8
SHA256 ee5fef012c34194a87f1f3952518b4068e2ff4ccd8d270671eb11965956d33e6
SHA512 0d2210bbb85cb1d6c0e60667deac4c10745e9a9ea7bb90121d01683b8ed6bfcc5d6c0457924afe2768dcbe6d8373a9fd8871aebec074f61741f6a3f1aa045b13

C:\Users\Admin\AppData\Local\Temp\8CCE.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

memory/3180-35-0x00000000056C0000-0x00000000056D0000-memory.dmp

memory/3180-36-0x0000000005850000-0x000000000585A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B85.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

memory/3180-38-0x0000000006FE0000-0x0000000007046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8CCE.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

C:\Users\Admin\AppData\Local\Temp\94BE.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\94BE.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2268-46-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2268-54-0x0000000073E80000-0x000000007456E000-memory.dmp

memory/2268-55-0x0000000006CA0000-0x0000000006CA6000-memory.dmp

memory/4888-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2268-60-0x000000000EF20000-0x000000000F526000-memory.dmp

memory/4888-63-0x0000000073E80000-0x000000007456E000-memory.dmp

memory/2268-64-0x0000000009450000-0x0000000009462000-memory.dmp

memory/2268-65-0x0000000009480000-0x0000000009490000-memory.dmp

memory/4888-67-0x00000000053E0000-0x00000000053E6000-memory.dmp

memory/2268-69-0x000000000E950000-0x000000000E98E000-memory.dmp

memory/4888-70-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/2268-61-0x000000000EA20000-0x000000000EB2A000-memory.dmp

memory/2268-71-0x000000000E990000-0x000000000E9DB000-memory.dmp

memory/3420-73-0x0000000073E80000-0x000000007456E000-memory.dmp

memory/3180-74-0x0000000073E80000-0x000000007456E000-memory.dmp

memory/3420-77-0x0000000009340000-0x0000000009350000-memory.dmp

memory/3180-88-0x00000000056C0000-0x00000000056D0000-memory.dmp

memory/2268-89-0x0000000073E80000-0x000000007456E000-memory.dmp

memory/4888-90-0x0000000073E80000-0x000000007456E000-memory.dmp

memory/2268-91-0x000000000EC60000-0x000000000ECD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD27.exe

MD5 7f212f098d1ae9595273ac3aa14ad852
SHA1 9c4dadb4549601e93ce0cd05aa9035078e65eac4
SHA256 162be0ff62f038ac36c382f57b34446de121af0f2a4f75b8a8e5bc22bc5efd3e
SHA512 ff14a49dcd2d80c0ae3a91952788bf4d9a523dff2e746799c1a98013dcb1365cbe52b5b8aa8d2da447cea0b671b01f4804d6dbb00820dbab24c88a47377dbc0d

C:\Users\Admin\AppData\Local\Temp\BD27.exe

MD5 7f212f098d1ae9595273ac3aa14ad852
SHA1 9c4dadb4549601e93ce0cd05aa9035078e65eac4
SHA256 162be0ff62f038ac36c382f57b34446de121af0f2a4f75b8a8e5bc22bc5efd3e
SHA512 ff14a49dcd2d80c0ae3a91952788bf4d9a523dff2e746799c1a98013dcb1365cbe52b5b8aa8d2da447cea0b671b01f4804d6dbb00820dbab24c88a47377dbc0d

C:\Users\Admin\AppData\Local\Temp\C016.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

C:\Users\Admin\AppData\Local\Temp\C016.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

memory/2268-100-0x0000000009480000-0x0000000009490000-memory.dmp

memory/4208-101-0x0000021C05160000-0x0000021C051F2000-memory.dmp

memory/4208-103-0x00007FFBE66F0000-0x00007FFBE70DC000-memory.dmp

memory/4208-102-0x0000021C06DA0000-0x0000021C06DA6000-memory.dmp

memory/4888-104-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/4208-106-0x0000021C1F770000-0x0000021C1F780000-memory.dmp

memory/4208-105-0x0000021C06DF0000-0x0000021C06E0A000-memory.dmp

memory/4208-107-0x0000021C06DB0000-0x0000021C06DB6000-memory.dmp

memory/4208-108-0x0000021C06E10000-0x0000021C06E98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C363.exe

MD5 f238f8437d91dfbf70e13f426af0ada3
SHA1 0aee50c31a74e4ad0f5fb09b177e2cbf30adb4b8
SHA256 ee5fef012c34194a87f1f3952518b4068e2ff4ccd8d270671eb11965956d33e6
SHA512 0d2210bbb85cb1d6c0e60667deac4c10745e9a9ea7bb90121d01683b8ed6bfcc5d6c0457924afe2768dcbe6d8373a9fd8871aebec074f61741f6a3f1aa045b13

memory/2268-117-0x000000000F630000-0x000000000F680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C363.exe

MD5 f238f8437d91dfbf70e13f426af0ada3
SHA1 0aee50c31a74e4ad0f5fb09b177e2cbf30adb4b8
SHA256 ee5fef012c34194a87f1f3952518b4068e2ff4ccd8d270671eb11965956d33e6
SHA512 0d2210bbb85cb1d6c0e60667deac4c10745e9a9ea7bb90121d01683b8ed6bfcc5d6c0457924afe2768dcbe6d8373a9fd8871aebec074f61741f6a3f1aa045b13

memory/3420-122-0x0000000073E80000-0x000000007456E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C930.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/3420-135-0x0000000009340000-0x0000000009350000-memory.dmp

\Users\Admin\AppData\Local\Temp\C930.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/3424-139-0x0000000010000000-0x000000001021E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/2268-151-0x0000000010E30000-0x0000000010FF2000-memory.dmp

memory/3424-138-0x0000000002350000-0x0000000002356000-memory.dmp

memory/2268-154-0x0000000011530000-0x0000000011A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAA7.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\DAA7.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3580-184-0x0000000002610000-0x00000000026AB000-memory.dmp

memory/3580-187-0x00000000040D0000-0x00000000041EB000-memory.dmp

memory/2156-191-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2156-197-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2156-200-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/4208-195-0x00007FFBE66F0000-0x00007FFBE70DC000-memory.dmp

memory/2156-205-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4208-224-0x0000021C1F770000-0x0000021C1F780000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F813.exe

MD5 7f212f098d1ae9595273ac3aa14ad852
SHA1 9c4dadb4549601e93ce0cd05aa9035078e65eac4
SHA256 162be0ff62f038ac36c382f57b34446de121af0f2a4f75b8a8e5bc22bc5efd3e
SHA512 ff14a49dcd2d80c0ae3a91952788bf4d9a523dff2e746799c1a98013dcb1365cbe52b5b8aa8d2da447cea0b671b01f4804d6dbb00820dbab24c88a47377dbc0d

C:\Users\Admin\AppData\Local\Temp\F813.exe

MD5 7f212f098d1ae9595273ac3aa14ad852
SHA1 9c4dadb4549601e93ce0cd05aa9035078e65eac4
SHA256 162be0ff62f038ac36c382f57b34446de121af0f2a4f75b8a8e5bc22bc5efd3e
SHA512 ff14a49dcd2d80c0ae3a91952788bf4d9a523dff2e746799c1a98013dcb1365cbe52b5b8aa8d2da447cea0b671b01f4804d6dbb00820dbab24c88a47377dbc0d

C:\Users\Admin\AppData\Local\Temp\F813.exe

MD5 7f212f098d1ae9595273ac3aa14ad852
SHA1 9c4dadb4549601e93ce0cd05aa9035078e65eac4
SHA256 162be0ff62f038ac36c382f57b34446de121af0f2a4f75b8a8e5bc22bc5efd3e
SHA512 ff14a49dcd2d80c0ae3a91952788bf4d9a523dff2e746799c1a98013dcb1365cbe52b5b8aa8d2da447cea0b671b01f4804d6dbb00820dbab24c88a47377dbc0d

C:\Users\Admin\AppData\Local\Temp\3DC.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

C:\Users\Admin\AppData\Local\Temp\3DC.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

memory/2136-337-0x00007FFBE66F0000-0x00007FFBE70DC000-memory.dmp

memory/2136-353-0x000001E3210A0000-0x000001E3210B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13AC.exe

MD5 f238f8437d91dfbf70e13f426af0ada3
SHA1 0aee50c31a74e4ad0f5fb09b177e2cbf30adb4b8
SHA256 ee5fef012c34194a87f1f3952518b4068e2ff4ccd8d270671eb11965956d33e6
SHA512 0d2210bbb85cb1d6c0e60667deac4c10745e9a9ea7bb90121d01683b8ed6bfcc5d6c0457924afe2768dcbe6d8373a9fd8871aebec074f61741f6a3f1aa045b13

C:\Users\Admin\AppData\Local\Temp\13AC.exe

MD5 f238f8437d91dfbf70e13f426af0ada3
SHA1 0aee50c31a74e4ad0f5fb09b177e2cbf30adb4b8
SHA256 ee5fef012c34194a87f1f3952518b4068e2ff4ccd8d270671eb11965956d33e6
SHA512 0d2210bbb85cb1d6c0e60667deac4c10745e9a9ea7bb90121d01683b8ed6bfcc5d6c0457924afe2768dcbe6d8373a9fd8871aebec074f61741f6a3f1aa045b13

C:\Users\Admin\AppData\Local\Temp\13AC.exe

MD5 f238f8437d91dfbf70e13f426af0ada3
SHA1 0aee50c31a74e4ad0f5fb09b177e2cbf30adb4b8
SHA256 ee5fef012c34194a87f1f3952518b4068e2ff4ccd8d270671eb11965956d33e6
SHA512 0d2210bbb85cb1d6c0e60667deac4c10745e9a9ea7bb90121d01683b8ed6bfcc5d6c0457924afe2768dcbe6d8373a9fd8871aebec074f61741f6a3f1aa045b13

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\236C.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

C:\Users\Admin\AppData\Local\Temp\2ACF.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\2ACF.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

\Users\Admin\AppData\Local\Temp\236C.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/3588-470-0x0000000003160000-0x0000000003166000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ACF.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/2156-486-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3466.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3466.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2136-508-0x00007FFBE66F0000-0x00007FFBE70DC000-memory.dmp

memory/2136-538-0x000001E3210A0000-0x000001E3210B0000-memory.dmp

C:\Users\Admin\AppData\Local\2de59f87-ba77-4f53-86fb-35292223a8f4\CF8A.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\49B4.exe

MD5 7f212f098d1ae9595273ac3aa14ad852
SHA1 9c4dadb4549601e93ce0cd05aa9035078e65eac4
SHA256 162be0ff62f038ac36c382f57b34446de121af0f2a4f75b8a8e5bc22bc5efd3e
SHA512 ff14a49dcd2d80c0ae3a91952788bf4d9a523dff2e746799c1a98013dcb1365cbe52b5b8aa8d2da447cea0b671b01f4804d6dbb00820dbab24c88a47377dbc0d

C:\Users\Admin\AppData\Local\Temp\49B4.exe

MD5 7f212f098d1ae9595273ac3aa14ad852
SHA1 9c4dadb4549601e93ce0cd05aa9035078e65eac4
SHA256 162be0ff62f038ac36c382f57b34446de121af0f2a4f75b8a8e5bc22bc5efd3e
SHA512 ff14a49dcd2d80c0ae3a91952788bf4d9a523dff2e746799c1a98013dcb1365cbe52b5b8aa8d2da447cea0b671b01f4804d6dbb00820dbab24c88a47377dbc0d

memory/3300-565-0x0000000003FA0000-0x0000000004036000-memory.dmp

memory/3792-573-0x0000000073E80000-0x000000007456E000-memory.dmp

memory/3176-578-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3176-582-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ACF.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/3176-587-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3792-601-0x00000000095F0000-0x0000000009600000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D3D.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

C:\Users\Admin\AppData\Local\Temp\5D3D.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

memory/2016-620-0x00007FFBE66F0000-0x00007FFBE70DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D3D.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

memory/2016-624-0x0000022DDC8C0000-0x0000022DDC8D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F4F.exe

MD5 f238f8437d91dfbf70e13f426af0ada3
SHA1 0aee50c31a74e4ad0f5fb09b177e2cbf30adb4b8
SHA256 ee5fef012c34194a87f1f3952518b4068e2ff4ccd8d270671eb11965956d33e6
SHA512 0d2210bbb85cb1d6c0e60667deac4c10745e9a9ea7bb90121d01683b8ed6bfcc5d6c0457924afe2768dcbe6d8373a9fd8871aebec074f61741f6a3f1aa045b13

C:\Users\Admin\AppData\Local\Temp\6F4F.exe

MD5 f238f8437d91dfbf70e13f426af0ada3
SHA1 0aee50c31a74e4ad0f5fb09b177e2cbf30adb4b8
SHA256 ee5fef012c34194a87f1f3952518b4068e2ff4ccd8d270671eb11965956d33e6
SHA512 0d2210bbb85cb1d6c0e60667deac4c10745e9a9ea7bb90121d01683b8ed6bfcc5d6c0457924afe2768dcbe6d8373a9fd8871aebec074f61741f6a3f1aa045b13

memory/3424-678-0x0000000004170000-0x000000000426D000-memory.dmp

memory/2156-686-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3792-689-0x0000000073E80000-0x000000007456E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8299.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/3424-713-0x0000000010000000-0x000000001021E000-memory.dmp

memory/3424-705-0x00000000044E0000-0x00000000045C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90A4.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/4916-719-0x0000000002DF0000-0x0000000002DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90A4.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

\Users\Admin\AppData\Local\Temp\8299.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/3792-724-0x00000000095F0000-0x0000000009600000-memory.dmp

memory/3424-722-0x00000000044E0000-0x00000000045C3000-memory.dmp

memory/3424-744-0x00000000044E0000-0x00000000045C3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 d03bac3e48ff9ef35ef32763bfcba932
SHA1 20269ad49e155b8ce9773a01654ea4cb25a0c19e
SHA256 0bf074beffc3a5495c9c520263ddc770baf69bc657c6449f95ffe16a709bfed7
SHA512 b38f57c5f2410be752523190ce25af42b6c9e4e7de804d713c4a76fe82a8a362f58caffceaa706edf95220ccde3211e2e81b506ff6f848e5594d3fedea0b3658

C:\Users\Admin\AppData\Local\Temp\90A4.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/3764-798-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 695761dbf7e91863fc5a05b73263b690
SHA1 0161432d6bbfa13e52b5db4a8db07f90954e2075
SHA256 a5441dd89890bd909cb847e6a57a2f166cba2e54947980a0503e2a68b36d22a4
SHA512 b82cefe57d9fa8e0494d9a7625767e462151c0df5d1ab8d542c2b951f7713198406d0ca42b9ef8a250d0be208bd1bdd10fadd5b3caa4bd4db282c113ad4beec1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 e0c21ab30525382747dfeca26b5d8aa0
SHA1 4d2f69c46b600dc5a29c261ac3365a32e0777bac
SHA256 07515a94ace8c8b17a3c6afc298afdacafaf5d29a4a34773b03aab42e04d14b6
SHA512 445867392e70f1683f11ca8a23d210163de7646ab99c261062819cca1fef4ec98bba5fb0c1024c781631d60e0a6e26b3d04c3c875001b08d8c7b4846df36ac16

memory/2156-808-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/3764-810-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3176-824-0x0000000000400000-0x0000000000537000-memory.dmp

memory/720-837-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF8A.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/720-842-0x0000000000400000-0x0000000000537000-memory.dmp