Malware Analysis Report

2025-04-14 07:37

Sample ID 230913-lp4cfsdf94
Target e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1
SHA256 e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 smokiez_build backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1

Threat Level: Known bad

The file e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1 was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 smokiez_build backdoor discovery infostealer persistence ransomware spyware stealer trojan

RedLine

Detected Djvu ransomware

Djvu Ransomware

Amadey

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 09:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 09:43

Reported

2023-09-13 09:46

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3F2D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\51AE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2A09.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44BC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ba24c285-667e-446e-9c8a-52cc0f7b8621\\2A09.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2A09.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\47E9.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\47E9.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\47E9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\32E6.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3104 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3104 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3104 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\2BCF.exe
PID 3104 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\2BCF.exe
PID 3104 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\2BCF.exe
PID 3104 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe
PID 3104 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe
PID 3104 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe
PID 3104 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\3036.exe
PID 3104 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\3036.exe
PID 3104 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\3036.exe
PID 3104 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\32E6.exe
PID 3104 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\32E6.exe
PID 3104 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\32E6.exe
PID 3104 wrote to memory of 672 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3104 wrote to memory of 672 N/A N/A C:\Windows\system32\regsvr32.exe
PID 672 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 672 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 672 wrote to memory of 2912 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3104 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F2D.exe
PID 3104 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F2D.exe
PID 3104 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F2D.exe
PID 3104 wrote to memory of 1708 N/A N/A C:\Users\Admin\AppData\Local\Temp\44BC.exe
PID 3104 wrote to memory of 1708 N/A N/A C:\Users\Admin\AppData\Local\Temp\44BC.exe
PID 3104 wrote to memory of 1708 N/A N/A C:\Users\Admin\AppData\Local\Temp\44BC.exe
PID 3104 wrote to memory of 1680 N/A N/A C:\Users\Admin\AppData\Local\Temp\47E9.exe
PID 3104 wrote to memory of 1680 N/A N/A C:\Users\Admin\AppData\Local\Temp\47E9.exe
PID 3104 wrote to memory of 1680 N/A N/A C:\Users\Admin\AppData\Local\Temp\47E9.exe
PID 1708 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\44BC.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1708 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\44BC.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1708 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\44BC.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3104 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\51AE.exe
PID 3104 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\51AE.exe
PID 3104 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\51AE.exe
PID 3104 wrote to memory of 316 N/A N/A C:\Users\Admin\AppData\Local\Temp\573D.exe
PID 3104 wrote to memory of 316 N/A N/A C:\Users\Admin\AppData\Local\Temp\573D.exe
PID 3104 wrote to memory of 316 N/A N/A C:\Users\Admin\AppData\Local\Temp\573D.exe
PID 3160 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3160 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3160 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3160 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 3048 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2A09.exe C:\Users\Admin\AppData\Local\Temp\2A09.exe
PID 4644 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\2D76.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1.exe

"C:\Users\Admin\AppData\Local\Temp\e8d4caff4d41c6fa3c39a6c501c52b19e5be073f64ab31a3dbaf36f3ae7b60b1.exe"

C:\Users\Admin\AppData\Local\Temp\2A09.exe

C:\Users\Admin\AppData\Local\Temp\2A09.exe

C:\Users\Admin\AppData\Local\Temp\2BCF.exe

C:\Users\Admin\AppData\Local\Temp\2BCF.exe

C:\Users\Admin\AppData\Local\Temp\2D76.exe

C:\Users\Admin\AppData\Local\Temp\2D76.exe

C:\Users\Admin\AppData\Local\Temp\3036.exe

C:\Users\Admin\AppData\Local\Temp\3036.exe

C:\Users\Admin\AppData\Local\Temp\32E6.exe

C:\Users\Admin\AppData\Local\Temp\32E6.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3BD1.dll

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3BD1.dll

C:\Users\Admin\AppData\Local\Temp\44BC.exe

C:\Users\Admin\AppData\Local\Temp\44BC.exe

C:\Users\Admin\AppData\Local\Temp\47E9.exe

C:\Users\Admin\AppData\Local\Temp\47E9.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\51AE.exe

C:\Users\Admin\AppData\Local\Temp\51AE.exe

C:\Users\Admin\AppData\Local\Temp\573D.exe

C:\Users\Admin\AppData\Local\Temp\573D.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\2A09.exe

C:\Users\Admin\AppData\Local\Temp\2A09.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ba24c285-667e-446e-9c8a-52cc0f7b8621" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

"C:\Users\Admin\AppData\Local\Temp\3F2D.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\51AE.exe

C:\Users\Admin\AppData\Local\Temp\51AE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\51AE.exe

"C:\Users\Admin\AppData\Local\Temp\51AE.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2A09.exe

"C:\Users\Admin\AppData\Local\Temp\2A09.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

"C:\Users\Admin\AppData\Local\Temp\3F2D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2A09.exe

"C:\Users\Admin\AppData\Local\Temp\2A09.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\51AE.exe

"C:\Users\Admin\AppData\Local\Temp\51AE.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4724 -ip 4724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3680 -ip 3680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 568

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MK 95.86.30.3:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 3.30.86.95.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 login-sofi.4dq.com udp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
MK 95.86.30.3:80 colisumy.com tcp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 147.249.79.45.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
US 38.181.25.43:3325 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 38.181.25.43:3325 tcp
NL 194.169.175.232:45450 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 38.181.25.43:3325 tcp
NL 194.169.175.232:45450 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 38.181.25.43:3325 tcp
US 38.181.25.43:3325 tcp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 gudintas.at udp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
US 38.181.25.43:3325 tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
US 8.8.8.8:53 transfer.sh udp
MK 95.86.30.3:80 gudintas.at tcp
DE 144.76.136.153:443 transfer.sh tcp
MK 95.86.30.3:80 gudintas.at tcp
MK 95.86.30.3:80 gudintas.at tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
MK 95.86.30.3:80 gudintas.at tcp
US 38.181.25.43:3325 tcp
US 38.181.25.43:3325 tcp
US 38.181.25.43:3325 tcp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 38.181.25.43:3325 tcp

Files

memory/1132-1-0x0000000002470000-0x0000000002570000-memory.dmp

memory/1132-2-0x0000000000400000-0x00000000022F2000-memory.dmp

memory/1132-3-0x0000000002460000-0x0000000002469000-memory.dmp

memory/3104-5-0x0000000003650000-0x0000000003666000-memory.dmp

memory/1132-6-0x0000000000400000-0x00000000022F2000-memory.dmp

memory/3104-9-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-10-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-11-0x0000000008CE0000-0x0000000008CF0000-memory.dmp

memory/3104-12-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-13-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-14-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-15-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-16-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-18-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-20-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-19-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-21-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-17-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-22-0x0000000008E60000-0x0000000008E70000-memory.dmp

memory/3104-23-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-24-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-25-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-27-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-26-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-29-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-32-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-31-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-33-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-35-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-34-0x0000000008CE0000-0x0000000008CF0000-memory.dmp

memory/3104-37-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-38-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-41-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-40-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-39-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

memory/3104-42-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A09.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

C:\Users\Admin\AppData\Local\Temp\2A09.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

C:\Users\Admin\AppData\Local\Temp\2BCF.exe

MD5 aa57bc271352cd6da84865709da432ac
SHA1 7aa710914991c996b1fc4df8c8b633f5bb3d3a16
SHA256 1d7efef95b514586c08757bb66c611018ff59a71ff17f7ac529fbbf2a0fdde13
SHA512 b38e645066bf61ee1cb4f1b68e9bf749afdee1aa15934a2397ad078e0f8c1620196e485c5fde8a9e5df7f8119d2abb5a63b2af16f6e91c939bea95d5813b44cf

C:\Users\Admin\AppData\Local\Temp\2BCF.exe

MD5 aa57bc271352cd6da84865709da432ac
SHA1 7aa710914991c996b1fc4df8c8b633f5bb3d3a16
SHA256 1d7efef95b514586c08757bb66c611018ff59a71ff17f7ac529fbbf2a0fdde13
SHA512 b38e645066bf61ee1cb4f1b68e9bf749afdee1aa15934a2397ad078e0f8c1620196e485c5fde8a9e5df7f8119d2abb5a63b2af16f6e91c939bea95d5813b44cf

C:\Users\Admin\AppData\Local\Temp\2D76.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

memory/3104-57-0x0000000008E60000-0x0000000008E70000-memory.dmp

memory/1608-58-0x00000000005C0000-0x00000000005F0000-memory.dmp

memory/1608-59-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3036.exe

MD5 7980cd6aa2f009db138977c965cd2c1e
SHA1 dbd57e3756c356abd5723ed000503a38518722d8
SHA256 b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4
SHA512 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5

C:\Users\Admin\AppData\Local\Temp\2D76.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

C:\Users\Admin\AppData\Local\Temp\3036.exe

MD5 7980cd6aa2f009db138977c965cd2c1e
SHA1 dbd57e3756c356abd5723ed000503a38518722d8
SHA256 b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4
SHA512 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5

memory/1608-70-0x00000000743D0000-0x0000000074B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32E6.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

C:\Users\Admin\AppData\Local\Temp\32E6.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

memory/1608-73-0x0000000005280000-0x0000000005898000-memory.dmp

memory/1608-76-0x00000000024A0000-0x00000000024B2000-memory.dmp

memory/1608-75-0x0000000004C60000-0x0000000004D6A000-memory.dmp

memory/1608-77-0x0000000004C50000-0x0000000004C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3BD1.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/3124-80-0x00000000006B0000-0x00000000006E0000-memory.dmp

memory/3124-81-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/1608-78-0x0000000002600000-0x000000000263C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3BD1.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/3124-92-0x00000000743D0000-0x0000000074B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44BC.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\44BC.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2912-99-0x0000000010000000-0x00000000102FA000-memory.dmp

memory/3124-104-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\47E9.exe

MD5 b54e64a6057aebaffb2329e0f8e5bc85
SHA1 51a101d7b31a8718968280b50aca05b597fb2fa9
SHA256 a2260ac65c2814e6a0e7b839474a298333f2a4a7ac60af12861dcc9edf5a6019
SHA512 8eaefff1ea43928969efe0c1a441e88180dc692939d8c08bfe4d0767f789477bcb7f47da1a106bf225b74da416c89e4951eb4ee0a9349a2ebfd9c5981f0d578a

C:\Users\Admin\AppData\Local\Temp\47E9.exe

MD5 b54e64a6057aebaffb2329e0f8e5bc85
SHA1 51a101d7b31a8718968280b50aca05b597fb2fa9
SHA256 a2260ac65c2814e6a0e7b839474a298333f2a4a7ac60af12861dcc9edf5a6019
SHA512 8eaefff1ea43928969efe0c1a441e88180dc692939d8c08bfe4d0767f789477bcb7f47da1a106bf225b74da416c89e4951eb4ee0a9349a2ebfd9c5981f0d578a

memory/2912-97-0x0000000001130000-0x0000000001136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\51AE.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

C:\Users\Admin\AppData\Local\Temp\51AE.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

memory/2912-118-0x0000000003000000-0x0000000003123000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\573D.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

memory/1608-121-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/2912-123-0x0000000010000000-0x00000000102FA000-memory.dmp

memory/408-125-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\573D.exe

MD5 3b49ab3a64388ef5be9ecb6c1bfd7bfc
SHA1 05a45d6c7733aaadff2556a0116fda034649c8ad
SHA256 b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c
SHA512 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d

memory/3048-129-0x0000000004060000-0x00000000040F3000-memory.dmp

memory/408-130-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3048-127-0x0000000004100000-0x000000000421B000-memory.dmp

memory/408-126-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A09.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

memory/2912-131-0x0000000003130000-0x0000000003237000-memory.dmp

memory/408-122-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1608-134-0x0000000004C50000-0x0000000004C60000-memory.dmp

memory/2912-135-0x0000000003130000-0x0000000003237000-memory.dmp

memory/112-136-0x0000000000400000-0x0000000000430000-memory.dmp

memory/112-137-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3124-138-0x0000000004E20000-0x0000000004E96000-memory.dmp

memory/3124-140-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3124-141-0x0000000004F40000-0x0000000004FA6000-memory.dmp

memory/4420-142-0x0000000000400000-0x0000000000430000-memory.dmp

memory/112-143-0x00000000057F0000-0x0000000005800000-memory.dmp

memory/3124-144-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/3124-139-0x0000000004EA0000-0x0000000004F32000-memory.dmp

memory/4420-145-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/4420-151-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/3124-152-0x0000000005C20000-0x00000000061C4000-memory.dmp

memory/2912-153-0x0000000003130000-0x0000000003237000-memory.dmp

memory/3048-156-0x0000000004060000-0x00000000040F3000-memory.dmp

C:\Users\Admin\AppData\Local\ba24c285-667e-446e-9c8a-52cc0f7b8621\2A09.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

memory/2656-160-0x0000000003F60000-0x0000000003FF6000-memory.dmp

memory/2656-161-0x0000000004130000-0x000000000424B000-memory.dmp

memory/5100-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5100-164-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/5100-165-0x0000000000400000-0x0000000000537000-memory.dmp

memory/112-166-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/5100-167-0x0000000000400000-0x0000000000537000-memory.dmp

memory/112-169-0x00000000057F0000-0x0000000005800000-memory.dmp

memory/3124-168-0x00000000049C0000-0x0000000004A10000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

memory/3124-174-0x0000000006370000-0x0000000006532000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 4a95d8c6f4a7924d521c12715f32f664
SHA1 a2662013b0f97ff3a72f6325fd42c4a3a80aabda
SHA256 93993e8b7cc84db22e945d70f12a10efe46614801b8ccf7546b643a8b3e9e451
SHA512 d2b32cda8d78424a0ac91b073cc9ecffb44ff282d3093fcc81e5f4a84aa0320db39d38a8d73053bb79a50e91df7d7fac73b3abbcd6ab83f04e09cadc4c840792

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 d7ea18ddfe556fd20ae003326be9b3f5
SHA1 b395a9c7d64cfbd65dcbc8245cfd6aea9d76e019
SHA256 d86e17123972c501a2115987232acf55f3fb6ef1780ff7662ee0c4f65bc81e1c
SHA512 0257f3f71930acb8849b57202ad3e7170e91d382e551fd3267538ec9966070112e05ddc9d84e0ca976b769389bc945dab5a58aad428e7e115069e230996e7b9b

memory/3124-175-0x0000000006540000-0x0000000006A6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/5100-178-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4420-182-0x00000000743D0000-0x0000000074B80000-memory.dmp

C:\Users\Admin\AppData\Local\ba24c285-667e-446e-9c8a-52cc0f7b8621\2A09.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

memory/2624-183-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/1680-184-0x0000000000400000-0x00000000022F2000-memory.dmp

memory/408-185-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1680-186-0x0000000002310000-0x0000000002410000-memory.dmp

memory/1680-187-0x0000000003E00000-0x0000000003E09000-memory.dmp

memory/4420-188-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/3124-192-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3748-197-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3748-198-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\51AE.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

memory/3104-200-0x0000000003720000-0x0000000003736000-memory.dmp

memory/3748-204-0x0000000000400000-0x0000000000537000-memory.dmp

memory/408-205-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\51AE.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

C:\Users\Admin\AppData\Local\Temp\2A09.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

C:\Users\Admin\AppData\Roaming\eecresi

MD5 b54e64a6057aebaffb2329e0f8e5bc85
SHA1 51a101d7b31a8718968280b50aca05b597fb2fa9
SHA256 a2260ac65c2814e6a0e7b839474a298333f2a4a7ac60af12861dcc9edf5a6019
SHA512 8eaefff1ea43928969efe0c1a441e88180dc692939d8c08bfe4d0767f789477bcb7f47da1a106bf225b74da416c89e4951eb4ee0a9349a2ebfd9c5981f0d578a

C:\Users\Admin\AppData\Local\Temp\3F2D.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\2A09.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

C:\Users\Admin\AppData\Local\Temp\51AE.exe

MD5 548766304e374e4cda87a5ddc00793cb
SHA1 f8f7d5a16a96d599095e390a42187418117769de
SHA256 027ae817ec337c3306bfd2430d980790ae5ab4a62e6abcf0222878e1f53cfce8
SHA512 5a415a0729644e1b51f9a4a1d9b7f43982d7b309f23307ce4154541ea02e126a6fbe641c49fa23b485fc08d133f779914800e7e576f943b730c09f68d56536c8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 0eab9cbc81b630365ed87e70a3bcf348
SHA1 d6ce2097af6c58fe41f98e1b0f9c264aa552d253
SHA256 e8f1178d92ce896b5f45c707050c3e84527db102bc3687e1e7208dbd34cd7685
SHA512 1417409eee83f2c8d4a15f843374c826cc2250e23dc4d46648643d02bfbf8c463d6aa8b43274bf68be1e780f81d506948bf84903a7a1044b46b12813d67c9498

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4