Malware Analysis Report

2025-04-14 07:43

Sample ID 230913-qejbraef75
Target 0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57
SHA256 0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 smokiez_build backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57

Threat Level: Known bad

The file 0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57 was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 smokiez_build backdoor discovery infostealer persistence ransomware spyware stealer trojan

SmokeLoader

Detected Djvu ransomware

Amadey

RedLine

Djvu Ransomware

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Modifies file permissions

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 13:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 13:10

Reported

2023-09-13 13:13

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CF2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1B10.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F2A2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E7EF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3c76a893-6dd1-44ca-a796-94243a0ded2b\\E7EF.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E7EF.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1542.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1542.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1542.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EE2D.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E996.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 560 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 3096 wrote to memory of 560 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 3096 wrote to memory of 560 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 3096 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E996.exe
PID 3096 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E996.exe
PID 3096 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E996.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 560 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Users\Admin\AppData\Local\Temp\E7EF.exe
PID 3096 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe
PID 3096 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe
PID 3096 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe
PID 3096 wrote to memory of 444 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 3096 wrote to memory of 444 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 3096 wrote to memory of 444 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 3096 wrote to memory of 4972 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE2D.exe
PID 3096 wrote to memory of 4972 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE2D.exe
PID 3096 wrote to memory of 4972 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE2D.exe
PID 3096 wrote to memory of 1912 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2A2.exe
PID 3096 wrote to memory of 1912 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2A2.exe
PID 3096 wrote to memory of 1912 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2A2.exe
PID 1912 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\F2A2.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1912 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\F2A2.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1912 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\F2A2.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1956 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Windows\SysWOW64\icacls.exe
PID 1956 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Windows\SysWOW64\icacls.exe
PID 1956 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\E7EF.exe C:\Windows\SysWOW64\icacls.exe
PID 1460 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1460 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1460 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1460 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Users\Admin\AppData\Local\Temp\1B10.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Users\Admin\AppData\Local\Temp\1B10.exe
PID 3124 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Users\Admin\AppData\Local\Temp\1B10.exe
PID 3124 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3124 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\EB2D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 760 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CF2.exe
PID 760 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CF2.exe
PID 760 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CF2.exe
PID 444 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57.exe

"C:\Users\Admin\AppData\Local\Temp\0a2ca1e480d8b227b59575d9d43fc8c4d5e959545f6d5bcce1a4c58e2af5ec57.exe"

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

C:\Users\Admin\AppData\Local\Temp\E996.exe

C:\Users\Admin\AppData\Local\Temp\E996.exe

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

C:\Users\Admin\AppData\Local\Temp\EB2D.exe

C:\Users\Admin\AppData\Local\Temp\EB2D.exe

C:\Users\Admin\AppData\Local\Temp\ED03.exe

C:\Users\Admin\AppData\Local\Temp\ED03.exe

C:\Users\Admin\AppData\Local\Temp\EE2D.exe

C:\Users\Admin\AppData\Local\Temp\EE2D.exe

C:\Users\Admin\AppData\Local\Temp\F2A2.exe

C:\Users\Admin\AppData\Local\Temp\F2A2.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3c76a893-6dd1-44ca-a796-94243a0ded2b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

"C:\Users\Admin\AppData\Local\Temp\E7EF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

"C:\Users\Admin\AppData\Local\Temp\E7EF.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2116 -ip 2116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 568

C:\Users\Admin\AppData\Local\Temp\CF2.exe

C:\Users\Admin\AppData\Local\Temp\CF2.exe

C:\Users\Admin\AppData\Local\Temp\EC7.exe

C:\Users\Admin\AppData\Local\Temp\EC7.exe

C:\Users\Admin\AppData\Local\Temp\CF2.exe

C:\Users\Admin\AppData\Local\Temp\CF2.exe

C:\Users\Admin\AppData\Local\Temp\1542.exe

C:\Users\Admin\AppData\Local\Temp\1542.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1959.dll

C:\Users\Admin\AppData\Local\Temp\1197.exe

C:\Users\Admin\AppData\Local\Temp\1197.exe

C:\Users\Admin\AppData\Local\Temp\1B10.exe

C:\Users\Admin\AppData\Local\Temp\1B10.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1959.dll

C:\Users\Admin\AppData\Local\Temp\CF2.exe

"C:\Users\Admin\AppData\Local\Temp\CF2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1B10.exe

C:\Users\Admin\AppData\Local\Temp\1B10.exe

C:\Users\Admin\AppData\Local\Temp\CF2.exe

"C:\Users\Admin\AppData\Local\Temp\CF2.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1468 -ip 1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 568

C:\Users\Admin\AppData\Local\Temp\1B10.exe

"C:\Users\Admin\AppData\Local\Temp\1B10.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1B10.exe

"C:\Users\Admin\AppData\Local\Temp\1B10.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2128 -ip 2128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 568

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 104.21.18.99:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MX 187.156.104.180:80 colisumy.com tcp
US 8.8.8.8:53 99.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 180.104.156.187.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
MX 187.156.104.180:80 colisumy.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 38.181.25.43:3325 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 194.169.175.232:45450 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 login-sofi.4dq.com udp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 147.249.79.45.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:45450 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 gudintas.at udp
KR 211.59.14.90:80 gudintas.at tcp
US 8.8.8.8:53 90.14.59.211.in-addr.arpa udp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
KR 211.59.14.90:80 gudintas.at tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/3932-1-0x0000000002310000-0x0000000002410000-memory.dmp

memory/3932-2-0x0000000000400000-0x00000000022F2000-memory.dmp

memory/3932-3-0x0000000004050000-0x0000000004059000-memory.dmp

memory/3096-4-0x0000000003210000-0x0000000003226000-memory.dmp

memory/3932-5-0x0000000000400000-0x00000000022F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\E996.exe

MD5 aa57bc271352cd6da84865709da432ac
SHA1 7aa710914991c996b1fc4df8c8b633f5bb3d3a16
SHA256 1d7efef95b514586c08757bb66c611018ff59a71ff17f7ac529fbbf2a0fdde13
SHA512 b38e645066bf61ee1cb4f1b68e9bf749afdee1aa15934a2397ad078e0f8c1620196e485c5fde8a9e5df7f8119d2abb5a63b2af16f6e91c939bea95d5813b44cf

C:\Users\Admin\AppData\Local\Temp\E996.exe

MD5 aa57bc271352cd6da84865709da432ac
SHA1 7aa710914991c996b1fc4df8c8b633f5bb3d3a16
SHA256 1d7efef95b514586c08757bb66c611018ff59a71ff17f7ac529fbbf2a0fdde13
SHA512 b38e645066bf61ee1cb4f1b68e9bf749afdee1aa15934a2397ad078e0f8c1620196e485c5fde8a9e5df7f8119d2abb5a63b2af16f6e91c939bea95d5813b44cf

memory/560-20-0x0000000004030000-0x00000000040CF000-memory.dmp

memory/560-21-0x00000000041F0000-0x000000000430B000-memory.dmp

memory/1956-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1956-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\EB2D.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/2348-30-0x00000000008D0000-0x0000000000900000-memory.dmp

memory/1956-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2348-29-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB2D.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

C:\Users\Admin\AppData\Local\Temp\ED03.exe

MD5 7980cd6aa2f009db138977c965cd2c1e
SHA1 dbd57e3756c356abd5723ed000503a38518722d8
SHA256 b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4
SHA512 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5

memory/2348-41-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE2D.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

C:\Users\Admin\AppData\Local\Temp\ED03.exe

MD5 7980cd6aa2f009db138977c965cd2c1e
SHA1 dbd57e3756c356abd5723ed000503a38518722d8
SHA256 b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4
SHA512 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5

C:\Users\Admin\AppData\Local\Temp\EE2D.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

memory/2348-45-0x0000000004B20000-0x0000000005138000-memory.dmp

memory/4972-46-0x0000000002090000-0x00000000020C0000-memory.dmp

memory/2348-48-0x0000000005140000-0x000000000524A000-memory.dmp

memory/2348-51-0x0000000005250000-0x0000000005262000-memory.dmp

memory/2348-54-0x0000000002480000-0x0000000002490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2A2.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F2A2.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4972-47-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2348-60-0x0000000005270000-0x00000000052AC000-memory.dmp

memory/4972-63-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4972-69-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/1048-77-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1048-78-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4604-79-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4604-80-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/1048-81-0x0000000005410000-0x0000000005420000-memory.dmp

memory/1956-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4604-83-0x0000000004F70000-0x0000000004F80000-memory.dmp

C:\Users\Admin\AppData\Local\3c76a893-6dd1-44ca-a796-94243a0ded2b\E7EF.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/2348-85-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/1956-86-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2348-90-0x0000000002480000-0x0000000002490000-memory.dmp

memory/4648-91-0x0000000003E90000-0x0000000003F22000-memory.dmp

memory/2116-94-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4972-96-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/2116-95-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7EF.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/2116-98-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF2.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\CF2.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\CF2.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\EC7.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/4972-107-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/4972-109-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/944-110-0x0000000004040000-0x00000000040D9000-memory.dmp

memory/4972-106-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/4280-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1048-115-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4972-114-0x0000000005BF0000-0x0000000006194000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC7.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/4604-120-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1197.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\Local\Temp\1197.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

memory/1048-126-0x0000000005410000-0x0000000005420000-memory.dmp

memory/1756-128-0x000002B05EF80000-0x000002B05F040000-memory.dmp

memory/1756-129-0x000002B05F420000-0x000002B05F43A000-memory.dmp

memory/1756-130-0x00007FFB28B10000-0x00007FFB295D1000-memory.dmp

memory/4604-132-0x0000000004F70000-0x0000000004F80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1542.exe

MD5 6802870401b076a6afa0a34ee42197bb
SHA1 9b12c4f7593f767c4ac58e5b6eee194a6efbf508
SHA256 581407074ab82ef32bfaaa4bd7a6bc4da38ca7c4ad8f91166c2be4325ae000f9
SHA512 ae96675a957490f3bc6a425ac15abe1118d7ef2df95ae902a0e5c00f50e54fc40341f75fa47bcb4c9e5fa1b484d310177176f4572bbda78d4f4d65578e2e35ed

C:\Users\Admin\AppData\Local\Temp\1542.exe

MD5 6802870401b076a6afa0a34ee42197bb
SHA1 9b12c4f7593f767c4ac58e5b6eee194a6efbf508
SHA256 581407074ab82ef32bfaaa4bd7a6bc4da38ca7c4ad8f91166c2be4325ae000f9
SHA512 ae96675a957490f3bc6a425ac15abe1118d7ef2df95ae902a0e5c00f50e54fc40341f75fa47bcb4c9e5fa1b484d310177176f4572bbda78d4f4d65578e2e35ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a422202ff3b61e90aaac7f2e0b9541bc
SHA1 6e647aedd5bc9fb10b55ef444305c31801012c03
SHA256 2546a54f40f057e318afe6d73614b262fbfd71371435ba87274f18605db94c68
SHA512 a3fa37caa5f7409b123d373cd04a53b1829fd732bc9288ff48c559f6a784c5c52e110479c6557921f20b1136352636a5212fa610fd50eda0cb60e6854dadf12d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 22cc6a9e0bc9f9e3e6d52c9b2a610162
SHA1 7e7cca8e00707aa98c171c2e7226241073d6c863
SHA256 c4a4897ffcd8f4907dbf4dca1f0f65d940da5db82be82a28ea60547068861706
SHA512 689c8cd9016410676ab796a5d2b1a67fc018b8250bcfb3344d9c5fbce0446f193edbd90606cf6c1d428c38138f83083404a3437ad5a9a24278468190479cec93

memory/4800-143-0x0000000002390000-0x0000000002399000-memory.dmp

memory/4800-142-0x00000000023A0000-0x00000000024A0000-memory.dmp

memory/1756-131-0x000002B079480000-0x000002B079490000-memory.dmp

memory/4280-122-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1959.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/4280-116-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4972-117-0x00000000055A0000-0x0000000005606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF2.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\1B10.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/4800-150-0x0000000000400000-0x00000000022F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF2.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/4280-153-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1959.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/4676-157-0x0000000003EC0000-0x0000000003F58000-memory.dmp

memory/4676-160-0x0000000004160000-0x000000000427B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B10.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/4588-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4724-164-0x0000000003F00000-0x0000000003F97000-memory.dmp

memory/3796-163-0x0000000002C00000-0x0000000002C06000-memory.dmp

memory/4588-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3796-159-0x0000000010000000-0x00000000102FA000-memory.dmp

memory/4604-151-0x0000000005D20000-0x0000000005D70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B10.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/4588-167-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1468-171-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF2.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/1468-172-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1468-175-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1048-174-0x0000000006920000-0x0000000006AE2000-memory.dmp

memory/1048-176-0x0000000008CD0000-0x00000000091FC000-memory.dmp

memory/3096-177-0x0000000003520000-0x0000000003536000-memory.dmp

memory/4000-182-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4800-180-0x0000000000400000-0x00000000022F2000-memory.dmp

memory/1756-183-0x00007FFB28B10000-0x00007FFB295D1000-memory.dmp

memory/4588-185-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4000-184-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B10.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/4712-191-0x0000000004000000-0x0000000004097000-memory.dmp

memory/1756-190-0x000002B079480000-0x000002B079490000-memory.dmp

memory/2128-194-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B10.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/2128-196-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2128-199-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4972-202-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 9b756bc85e5324eb8f87a69e3f9959ab
SHA1 1778b2e2d6a00c421578a284db1e743931611d66
SHA256 e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e
SHA512 c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

memory/1048-207-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4604-208-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4000-209-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4000-210-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/4000-211-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\fgwjtfg

MD5 6802870401b076a6afa0a34ee42197bb
SHA1 9b12c4f7593f767c4ac58e5b6eee194a6efbf508
SHA256 581407074ab82ef32bfaaa4bd7a6bc4da38ca7c4ad8f91166c2be4325ae000f9
SHA512 ae96675a957490f3bc6a425ac15abe1118d7ef2df95ae902a0e5c00f50e54fc40341f75fa47bcb4c9e5fa1b484d310177176f4572bbda78d4f4d65578e2e35ed

memory/2348-218-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/3796-219-0x00000000030E0000-0x0000000003203000-memory.dmp

memory/3796-220-0x0000000003210000-0x0000000003317000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4