Malware Analysis Report

2025-04-14 07:33

Sample ID 230913-axv59sbb73
Target 0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54
SHA256 0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54
Tags
amadey djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 smokiez_build up3 backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54

Threat Level: Known bad

The file 0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54 was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 smokiez_build up3 backdoor discovery infostealer persistence ransomware spyware stealer trojan

Amadey

Djvu Ransomware

Detected Djvu ransomware

SmokeLoader

RedLine

Detect Fabookie payload

Fabookie

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Modifies file permissions

Reads user/profile data of web browsers

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 00:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 00:35

Reported

2023-09-13 00:38

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1250.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6075.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A0D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\54F8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BA4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54F8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\576A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5BEF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6075.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54F8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54F8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54F8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\28e02e78-e2df-44d8-bce5-6a5a8bacddc3\\A0D.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A0D.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5BEF.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5BEF.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5BEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1099.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BA4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 708 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 708 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 708 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 708 wrote to memory of 1932 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA4.exe
PID 708 wrote to memory of 1932 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA4.exe
PID 708 wrote to memory of 1932 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA4.exe
PID 708 wrote to memory of 4608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe
PID 708 wrote to memory of 4608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe
PID 708 wrote to memory of 4608 N/A N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe
PID 708 wrote to memory of 3968 N/A N/A C:\Users\Admin\AppData\Local\Temp\F11.exe
PID 708 wrote to memory of 3968 N/A N/A C:\Users\Admin\AppData\Local\Temp\F11.exe
PID 708 wrote to memory of 3968 N/A N/A C:\Users\Admin\AppData\Local\Temp\F11.exe
PID 708 wrote to memory of 1688 N/A N/A C:\Users\Admin\AppData\Local\Temp\1099.exe
PID 708 wrote to memory of 1688 N/A N/A C:\Users\Admin\AppData\Local\Temp\1099.exe
PID 708 wrote to memory of 1688 N/A N/A C:\Users\Admin\AppData\Local\Temp\1099.exe
PID 708 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 708 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 708 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 708 wrote to memory of 2492 N/A N/A C:\Windows\system32\regsvr32.exe
PID 708 wrote to memory of 2492 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 5112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 5112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 5112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4608 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4608 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4608 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4608 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4608 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4608 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4608 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4608 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\D8A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\F11.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2800 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\A0D.exe C:\Users\Admin\AppData\Local\Temp\A0D.exe
PID 2680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1250.exe C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 2680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1250.exe C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 2680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1250.exe C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 2680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1250.exe C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 2680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1250.exe C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 2680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1250.exe C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 2680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1250.exe C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 2680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1250.exe C:\Users\Admin\AppData\Local\Temp\1250.exe
PID 2680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1250.exe C:\Users\Admin\AppData\Local\Temp\1250.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe

"C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe"

C:\Users\Admin\AppData\Local\Temp\A0D.exe

C:\Users\Admin\AppData\Local\Temp\A0D.exe

C:\Users\Admin\AppData\Local\Temp\BA4.exe

C:\Users\Admin\AppData\Local\Temp\BA4.exe

C:\Users\Admin\AppData\Local\Temp\D8A.exe

C:\Users\Admin\AppData\Local\Temp\D8A.exe

C:\Users\Admin\AppData\Local\Temp\F11.exe

C:\Users\Admin\AppData\Local\Temp\F11.exe

C:\Users\Admin\AppData\Local\Temp\1099.exe

C:\Users\Admin\AppData\Local\Temp\1099.exe

C:\Users\Admin\AppData\Local\Temp\1250.exe

C:\Users\Admin\AppData\Local\Temp\1250.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1667.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1667.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\A0D.exe

C:\Users\Admin\AppData\Local\Temp\A0D.exe

C:\Users\Admin\AppData\Local\Temp\1250.exe

C:\Users\Admin\AppData\Local\Temp\1250.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\28e02e78-e2df-44d8-bce5-6a5a8bacddc3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1250.exe

"C:\Users\Admin\AppData\Local\Temp\1250.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\54F8.exe

C:\Users\Admin\AppData\Local\Temp\54F8.exe

C:\Users\Admin\AppData\Local\Temp\576A.exe

C:\Users\Admin\AppData\Local\Temp\576A.exe

C:\Users\Admin\AppData\Local\Temp\5BEF.exe

C:\Users\Admin\AppData\Local\Temp\5BEF.exe

C:\Users\Admin\AppData\Local\Temp\6075.exe

C:\Users\Admin\AppData\Local\Temp\6075.exe

C:\Users\Admin\AppData\Local\Temp\1250.exe

"C:\Users\Admin\AppData\Local\Temp\1250.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 568

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\A0D.exe

"C:\Users\Admin\AppData\Local\Temp\A0D.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\54F8.exe

C:\Users\Admin\AppData\Local\Temp\54F8.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\54F8.exe

"C:\Users\Admin\AppData\Local\Temp\54F8.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\A0D.exe

"C:\Users\Admin\AppData\Local\Temp\A0D.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 380 -ip 380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 568

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\54F8.exe

"C:\Users\Admin\AppData\Local\Temp\54F8.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 568

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MO 180.94.156.61:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 61.156.94.180.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
MO 180.94.156.61:80 colisumy.com tcp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
NL 194.169.175.232:45450 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 login-sofi.4dq.com udp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 147.249.79.45.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
NL 194.169.175.232:45450 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 gudintas.at udp
KR 210.182.29.70:80 gudintas.at tcp
US 8.8.8.8:53 70.29.182.210.in-addr.arpa udp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
US 95.214.27.254:80 tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
KR 210.182.29.70:80 gudintas.at tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4608-0-0x0000000002220000-0x0000000002235000-memory.dmp

memory/4608-1-0x0000000002110000-0x0000000002119000-memory.dmp

memory/4608-2-0x0000000000400000-0x0000000002081000-memory.dmp

memory/708-3-0x0000000002690000-0x00000000026A6000-memory.dmp

memory/4608-4-0x0000000000400000-0x0000000002081000-memory.dmp

memory/4608-7-0x0000000002220000-0x0000000002235000-memory.dmp

memory/4608-8-0x0000000002110000-0x0000000002119000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A0D.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

C:\Users\Admin\AppData\Local\Temp\A0D.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

C:\Users\Admin\AppData\Local\Temp\BA4.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

C:\Users\Admin\AppData\Local\Temp\BA4.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

memory/1932-20-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D8A.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

memory/1932-21-0x00000000008B0000-0x00000000008E0000-memory.dmp

memory/1932-31-0x0000000075060000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F11.exe

MD5 7980cd6aa2f009db138977c965cd2c1e
SHA1 dbd57e3756c356abd5723ed000503a38518722d8
SHA256 b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4
SHA512 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5

C:\Users\Admin\AppData\Local\Temp\D8A.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

C:\Users\Admin\AppData\Local\Temp\1099.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

C:\Users\Admin\AppData\Local\Temp\F11.exe

MD5 7980cd6aa2f009db138977c965cd2c1e
SHA1 dbd57e3756c356abd5723ed000503a38518722d8
SHA256 b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4
SHA512 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5

C:\Users\Admin\AppData\Local\Temp\1250.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

C:\Users\Admin\AppData\Local\Temp\1099.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

memory/1932-43-0x0000000005150000-0x000000000525A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1250.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/1932-44-0x00000000045D0000-0x00000000045E2000-memory.dmp

memory/1932-45-0x0000000002430000-0x0000000002440000-memory.dmp

memory/1932-47-0x0000000005260000-0x000000000529C000-memory.dmp

memory/1932-41-0x0000000004B30000-0x0000000005148000-memory.dmp

memory/1688-49-0x00000000005E0000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1667.dll

MD5 ec58238fb3adab49461bce7d58730eca
SHA1 c71c577fb65a59f58d61d4cc05232431e020ed6d
SHA256 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf
SHA512 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9

memory/1688-48-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1688-55-0x0000000075060000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1667.dll

MD5 ec58238fb3adab49461bce7d58730eca
SHA1 c71c577fb65a59f58d61d4cc05232431e020ed6d
SHA256 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf
SHA512 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9

memory/5112-57-0x00000000012E0000-0x00000000012E6000-memory.dmp

memory/5112-56-0x0000000010000000-0x000000001021E000-memory.dmp

memory/1688-59-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/1200-60-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1200-61-0x0000000075060000-0x0000000075810000-memory.dmp

memory/1200-62-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/408-63-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1932-64-0x0000000075060000-0x0000000075810000-memory.dmp

memory/408-65-0x0000000075060000-0x0000000075810000-memory.dmp

memory/408-66-0x0000000005420000-0x0000000005430000-memory.dmp

memory/1932-67-0x0000000002430000-0x0000000002440000-memory.dmp

memory/2800-68-0x0000000002220000-0x00000000022B2000-memory.dmp

memory/2800-69-0x0000000003E60000-0x0000000003F7B000-memory.dmp

memory/4580-72-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A0D.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

memory/1688-73-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4580-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1932-75-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/1932-76-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/4580-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1932-77-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/1932-78-0x0000000005C60000-0x0000000006204000-memory.dmp

memory/1576-79-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1576-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2680-85-0x0000000004220000-0x000000000433B000-memory.dmp

memory/1576-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2680-83-0x0000000004080000-0x0000000004112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1250.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/1932-80-0x0000000006230000-0x0000000006280000-memory.dmp

memory/1688-97-0x0000000006430000-0x00000000065F2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

memory/1688-100-0x0000000006600000-0x0000000006B2C000-memory.dmp

memory/1576-99-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 ffc962751016889e7751bc2b08b2550c
SHA1 fc18402cf47f174ebecf75b7aaa988c35b5e5a39
SHA256 f8b4b0af84acc283bf283d75a602151880a3bf5d48d2853994c2a18c281cc7a5
SHA512 770e627c065674787a77aa5bbb927b36c188c998d72fe1ebd4bebc7b96b27306830526ba575908e69427c175dd435e9cec0b82820fa9e739d84e70d630a83d36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 ab9da886f3cbfb5f5054861f4fb7d67f
SHA1 ff57fd79dc16b2e49ccd17234005b1cc908d9ef5
SHA256 b20a4adb728a49fad2a74a97c89907aa063c2b3be412a9cd6fa6f30dbece5202
SHA512 f8c27e8e9ebe4a77b6a54686a6ca34e2d239cbc03f26ccd56d7abf2ddb1590d6b3f2ee123c36c2e2a6ae2be2d6fca5c572ee2a56e5bd7ba7ddead058c69375ae

memory/4580-98-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5112-102-0x0000000002D60000-0x0000000002E62000-memory.dmp

memory/5112-103-0x00000000031A0000-0x000000000328A000-memory.dmp

memory/5112-106-0x00000000031A0000-0x000000000328A000-memory.dmp

memory/1576-105-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1250.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/5112-109-0x00000000031A0000-0x000000000328A000-memory.dmp

memory/1688-110-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/5112-111-0x00000000031A0000-0x000000000328A000-memory.dmp

memory/1200-112-0x0000000075060000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54F8.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

C:\Users\Admin\AppData\Local\Temp\54F8.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

C:\Users\Admin\AppData\Local\Temp\54F8.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

C:\Users\Admin\AppData\Local\28e02e78-e2df-44d8-bce5-6a5a8bacddc3\A0D.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

C:\Users\Admin\AppData\Local\Temp\576A.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

memory/1200-122-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/1688-124-0x0000000075060000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\576A.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

C:\Users\Admin\AppData\Local\Temp\5BEF.exe

MD5 94552b061160d163451a975066161383
SHA1 22f28f33e1f7d4574e1961170b1cb0211c6a8fc8
SHA256 e5c0fee1dc9bc3b97fc9f620bf8ea1c6f23cf7d7129fd19e88bf9de662991523
SHA512 3293b4ef5cb5a17f732a762630e6a5f686ccab4bc9c693ba7e0d93c19a8efad769759cb92323f2ebfc0821d6cf9269fca84633dce974469b0b9853c02ac2b48e

C:\Users\Admin\AppData\Local\Temp\5BEF.exe

MD5 94552b061160d163451a975066161383
SHA1 22f28f33e1f7d4574e1961170b1cb0211c6a8fc8
SHA256 e5c0fee1dc9bc3b97fc9f620bf8ea1c6f23cf7d7129fd19e88bf9de662991523
SHA512 3293b4ef5cb5a17f732a762630e6a5f686ccab4bc9c693ba7e0d93c19a8efad769759cb92323f2ebfc0821d6cf9269fca84633dce974469b0b9853c02ac2b48e

memory/4580-128-0x0000000000400000-0x0000000000537000-memory.dmp

memory/408-132-0x0000000075060000-0x0000000075810000-memory.dmp

memory/1200-133-0x0000000075060000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6075.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\6075.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/408-140-0x0000000005420000-0x0000000005430000-memory.dmp

memory/4908-143-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1250.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

memory/4908-144-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4908-146-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 7f305d024899e4809fb6f4ae00da304c
SHA1 f88a0812d36e0562ede3732ab511f459a09faff8
SHA256 8fe1088ad55d05a3c2149648c8c1ce55862e925580308afe4a4ff6cfb089c769
SHA512 bc40698582400427cd47cf80dcf39202a74148b69ed179483160b4023368d53301fa12fe6d530d9c7cdfe5f78d19ee87a285681f537950334677f8af8dfeb2ae

memory/408-155-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4612-157-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4580-158-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A0D.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

memory/4612-161-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/1932-178-0x0000000075060000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/1496-179-0x00007FF69E760000-0x00007FF69E798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/4856-182-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54F8.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

memory/4856-185-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4856-186-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4792-188-0x00000000020D0000-0x00000000020E5000-memory.dmp

memory/4792-189-0x0000000000400000-0x0000000002081000-memory.dmp

memory/4792-190-0x00000000020F0000-0x00000000020F9000-memory.dmp

memory/4856-194-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54F8.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

memory/4612-198-0x0000000075060000-0x0000000075810000-memory.dmp

memory/1496-202-0x0000000002A60000-0x0000000002BD1000-memory.dmp

memory/4612-201-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/1496-203-0x0000000002BE0000-0x0000000002D11000-memory.dmp

memory/380-208-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A0D.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

memory/380-209-0x0000000000400000-0x0000000000537000-memory.dmp

memory/380-211-0x0000000000400000-0x0000000000537000-memory.dmp

memory/708-212-0x00000000026D0000-0x00000000026E6000-memory.dmp

memory/4792-214-0x0000000000400000-0x0000000002081000-memory.dmp

memory/4792-218-0x00000000020D0000-0x00000000020E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4612-220-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3784-223-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54F8.exe

MD5 49b904e73ee16058ca948bf728febd94
SHA1 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b
SHA256 bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed
SHA512 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f

memory/3784-224-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1496-226-0x0000000002BE0000-0x0000000002D11000-memory.dmp

C:\Users\Admin\AppData\Roaming\afvtvej

MD5 94552b061160d163451a975066161383
SHA1 22f28f33e1f7d4574e1961170b1cb0211c6a8fc8
SHA256 e5c0fee1dc9bc3b97fc9f620bf8ea1c6f23cf7d7129fd19e88bf9de662991523
SHA512 3293b4ef5cb5a17f732a762630e6a5f686ccab4bc9c693ba7e0d93c19a8efad769759cb92323f2ebfc0821d6cf9269fca84633dce974469b0b9853c02ac2b48e

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2876-247-0x0000000003B40000-0x0000000003B55000-memory.dmp

memory/2876-248-0x0000000003BA0000-0x0000000003BA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

memory/3368-251-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3368-252-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3368-258-0x0000000000400000-0x0000000000409000-memory.dmp