Malware Analysis Report

2025-04-14 07:39

Sample ID 230913-sypc8adb7w
Target 2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e
SHA256 2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 smokiez_build backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e

Threat Level: Known bad

The file 2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 smokiez_build backdoor discovery infostealer persistence ransomware spyware stealer trojan

Amadey

Detected Djvu ransomware

SmokeLoader

RedLine

Djvu Ransomware

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Modifies file permissions

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 15:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 15:32

Reported

2023-09-13 15:34

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7B1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F992.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\21D1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3251.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b4495317-92a2-420d-84c6-7c1fa4bc2388\\F992.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F992.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2B0C.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2B0C.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2B0C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FE87.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FB59.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 3684 N/A N/A C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 1372 wrote to memory of 3684 N/A N/A C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 1372 wrote to memory of 3684 N/A N/A C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 1372 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB59.exe
PID 1372 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB59.exe
PID 1372 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB59.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 3684 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Users\Admin\AppData\Local\Temp\F992.exe
PID 1372 wrote to memory of 3292 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD3E.exe
PID 1372 wrote to memory of 3292 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD3E.exe
PID 1372 wrote to memory of 3292 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD3E.exe
PID 1372 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE87.exe
PID 1372 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE87.exe
PID 1372 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE87.exe
PID 1372 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe
PID 1372 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe
PID 1372 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe
PID 1372 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B1.exe
PID 1372 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B1.exe
PID 1372 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B1.exe
PID 1808 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\7B1.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1808 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\7B1.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1808 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\7B1.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4212 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Windows\SysWOW64\icacls.exe
PID 4212 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Windows\SysWOW64\icacls.exe
PID 4212 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\F992.exe C:\Windows\SysWOW64\icacls.exe
PID 3320 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3320 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3320 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3320 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 3212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 3212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 3212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3636 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3636 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3636 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\FFD0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3636 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3636 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3636 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3636 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21D1.exe
PID 3636 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21D1.exe
PID 3636 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21D1.exe
PID 3636 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e.exe

"C:\Users\Admin\AppData\Local\Temp\2c1dccdff9a5f33b6367cc429c00f0fe54f9354b2a6049a070a2f5c42e33204e.exe"

C:\Users\Admin\AppData\Local\Temp\F992.exe

C:\Users\Admin\AppData\Local\Temp\F992.exe

C:\Users\Admin\AppData\Local\Temp\FB59.exe

C:\Users\Admin\AppData\Local\Temp\FB59.exe

C:\Users\Admin\AppData\Local\Temp\F992.exe

C:\Users\Admin\AppData\Local\Temp\F992.exe

C:\Users\Admin\AppData\Local\Temp\FD3E.exe

C:\Users\Admin\AppData\Local\Temp\FD3E.exe

C:\Users\Admin\AppData\Local\Temp\FE87.exe

C:\Users\Admin\AppData\Local\Temp\FE87.exe

C:\Users\Admin\AppData\Local\Temp\FFD0.exe

C:\Users\Admin\AppData\Local\Temp\FFD0.exe

C:\Users\Admin\AppData\Local\Temp\7B1.exe

C:\Users\Admin\AppData\Local\Temp\7B1.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b4495317-92a2-420d-84c6-7c1fa4bc2388" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\F992.exe

"C:\Users\Admin\AppData\Local\Temp\F992.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F992.exe

"C:\Users\Admin\AppData\Local\Temp\F992.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 568

C:\Users\Admin\AppData\Local\Temp\21D1.exe

C:\Users\Admin\AppData\Local\Temp\21D1.exe

C:\Users\Admin\AppData\Local\Temp\24FF.exe

C:\Users\Admin\AppData\Local\Temp\24FF.exe

C:\Users\Admin\AppData\Local\Temp\21D1.exe

C:\Users\Admin\AppData\Local\Temp\21D1.exe

C:\Users\Admin\AppData\Local\Temp\27BF.exe

C:\Users\Admin\AppData\Local\Temp\27BF.exe

C:\Users\Admin\AppData\Local\Temp\2B0C.exe

C:\Users\Admin\AppData\Local\Temp\2B0C.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\309B.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\309B.dll

C:\Users\Admin\AppData\Local\Temp\3251.exe

C:\Users\Admin\AppData\Local\Temp\3251.exe

C:\Users\Admin\AppData\Local\Temp\21D1.exe

"C:\Users\Admin\AppData\Local\Temp\21D1.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3251.exe

C:\Users\Admin\AppData\Local\Temp\3251.exe

C:\Users\Admin\AppData\Local\Temp\21D1.exe

"C:\Users\Admin\AppData\Local\Temp\21D1.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1408 -ip 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 568

C:\Users\Admin\AppData\Local\Temp\3251.exe

"C:\Users\Admin\AppData\Local\Temp\3251.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3251.exe

"C:\Users\Admin\AppData\Local\Temp\3251.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1872 -ip 1872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 568

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
PA 181.197.76.240:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 240.76.197.181.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 38.181.25.43:3325 tcp
MD 176.123.9.142:14845 tcp
PA 181.197.76.240:80 colisumy.com tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
GB 51.38.95.107:42494 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
NL 194.169.175.232:45450 tcp
NL 194.169.175.232:80 194.169.175.232 tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 login-sofi.4dq.com udp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 147.249.79.45.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:45450 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 gudintas.at udp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
US 8.8.8.8:53 79.216.224.84.in-addr.arpa udp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/3308-1-0x0000000002450000-0x0000000002550000-memory.dmp

memory/3308-2-0x0000000000400000-0x00000000022F3000-memory.dmp

memory/3308-3-0x0000000004040000-0x0000000004049000-memory.dmp

memory/1372-4-0x0000000000E80000-0x0000000000E96000-memory.dmp

memory/3308-5-0x0000000000400000-0x00000000022F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F992.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\F992.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\FB59.exe

MD5 aa57bc271352cd6da84865709da432ac
SHA1 7aa710914991c996b1fc4df8c8b633f5bb3d3a16
SHA256 1d7efef95b514586c08757bb66c611018ff59a71ff17f7ac529fbbf2a0fdde13
SHA512 b38e645066bf61ee1cb4f1b68e9bf749afdee1aa15934a2397ad078e0f8c1620196e485c5fde8a9e5df7f8119d2abb5a63b2af16f6e91c939bea95d5813b44cf

C:\Users\Admin\AppData\Local\Temp\FB59.exe

MD5 aa57bc271352cd6da84865709da432ac
SHA1 7aa710914991c996b1fc4df8c8b633f5bb3d3a16
SHA256 1d7efef95b514586c08757bb66c611018ff59a71ff17f7ac529fbbf2a0fdde13
SHA512 b38e645066bf61ee1cb4f1b68e9bf749afdee1aa15934a2397ad078e0f8c1620196e485c5fde8a9e5df7f8119d2abb5a63b2af16f6e91c939bea95d5813b44cf

memory/3684-20-0x0000000003FB0000-0x0000000004047000-memory.dmp

memory/3684-21-0x0000000004180000-0x000000000429B000-memory.dmp

memory/4212-27-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F992.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\FD3E.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/4212-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4212-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2168-29-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FE87.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

memory/2168-28-0x0000000002070000-0x00000000020A0000-memory.dmp

memory/4212-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FE87.exe

MD5 8e80f352faa21ac6bd996e86cd71640a
SHA1 347e8c111508d0095a05328175c0be5b86677730
SHA256 eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3
SHA512 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038

memory/2168-42-0x0000000074300000-0x0000000074AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFD0.exe

MD5 24f97033c62127b816fe4733b9b8a3f0
SHA1 bd8a47ad195de6fa694a6b8de214a7d06b516824
SHA256 f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612
SHA512 c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a

memory/1800-43-0x00000000020D0000-0x0000000002100000-memory.dmp

memory/1800-44-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFD0.exe

MD5 24f97033c62127b816fe4733b9b8a3f0
SHA1 bd8a47ad195de6fa694a6b8de214a7d06b516824
SHA256 f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612
SHA512 c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a

memory/1800-49-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2168-50-0x0000000004B50000-0x0000000005168000-memory.dmp

memory/2168-51-0x0000000005280000-0x000000000538A000-memory.dmp

memory/1800-52-0x0000000005130000-0x0000000005142000-memory.dmp

memory/1800-55-0x0000000005150000-0x000000000518C000-memory.dmp

memory/2168-54-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/1800-53-0x00000000049C0000-0x00000000049D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\7B1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/5104-76-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD3E.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/5104-78-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/5104-79-0x0000000004F40000-0x0000000004F50000-memory.dmp

C:\Users\Admin\AppData\Local\b4495317-92a2-420d-84c6-7c1fa4bc2388\F992.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/4212-81-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4212-82-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F992.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/2740-86-0x0000000004000000-0x0000000004098000-memory.dmp

memory/2168-87-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/4232-90-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F992.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/4232-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4232-93-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3712-94-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3712-95-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/3712-97-0x0000000005150000-0x0000000005160000-memory.dmp

memory/1800-96-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2168-99-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/1800-98-0x00000000049C0000-0x00000000049D0000-memory.dmp

memory/1800-100-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/1800-101-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/1800-103-0x0000000005C00000-0x00000000061A4000-memory.dmp

memory/2168-106-0x0000000005C80000-0x0000000005CE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21D1.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\21D1.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\21D1.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

C:\Users\Admin\AppData\Local\Temp\24FF.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/1800-110-0x0000000005A50000-0x0000000005AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24FF.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/2636-116-0x0000000004020000-0x00000000040BF000-memory.dmp

memory/5104-119-0x0000000074300000-0x0000000074AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27BF.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

memory/1796-124-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5104-125-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/3452-127-0x000002304BFE0000-0x000002304C0A0000-memory.dmp

memory/1796-126-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3452-128-0x000002304DDC0000-0x000002304DDDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21D1.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/1796-130-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3452-131-0x0000023066660000-0x0000023066670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2B0C.exe

MD5 1a8b0853338c0e0eab5d13746038fae9
SHA1 3132faa6943319d0d6a29940698c2fc39fb89062
SHA256 947fb340a672bd684a18ab7aeb7fe28cd9f2eee3c0de99c205f3a4a39aad12c0
SHA512 f2c27edad737d0bc82309bb8fe723fd43fa04a320928ab115fcaba1751a81a6d36ea0ccfd4e5eda6aa520f3afd31047630b6c3eb2387a8d9d4d79ba0c3b99cd4

C:\Users\Admin\AppData\Local\Temp\2B0C.exe

MD5 1a8b0853338c0e0eab5d13746038fae9
SHA1 3132faa6943319d0d6a29940698c2fc39fb89062
SHA256 947fb340a672bd684a18ab7aeb7fe28cd9f2eee3c0de99c205f3a4a39aad12c0
SHA512 f2c27edad737d0bc82309bb8fe723fd43fa04a320928ab115fcaba1751a81a6d36ea0ccfd4e5eda6aa520f3afd31047630b6c3eb2387a8d9d4d79ba0c3b99cd4

memory/3452-129-0x00007FF8DAB30000-0x00007FF8DB5F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27BF.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

memory/1112-142-0x0000000002520000-0x0000000002529000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 7b26f8878488b2139d64085c64ea1b9d
SHA1 7335dc40ecee44ba17369412bcb6832141c25338
SHA256 d721ae486d3cfdfd1fe8c35d7c3174a04b6ab7cf7f108b243bd7cb693e5d5676
SHA512 984cfb91d4a710795c3ea79518331c46d8f7bf7d743bcc9575ea00548b158943a59848a609f334989e491294443431f2db01737c340a30e7d44385f91a476956

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 e3b73f79627bc5fa19959111814fb5c4
SHA1 156b9fd0612064ea1e60020a838f60214360882a
SHA256 81eb634ffdd70a6642909d3608fe792ee7eb5e8947c0221effc2423fcdace0e0
SHA512 b58d3863899b6ee3252a41f2445307b4f13a2e0774bd29e32f348e9fbda49829fae6f408c58bf95b290c98aef167a2cf7c903b48ec80f96d76b11a25fc3f9605

memory/1112-137-0x0000000002650000-0x0000000002750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\309B.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/5104-148-0x0000000008800000-0x0000000008D2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3251.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/1804-153-0x0000000010000000-0x00000000102FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3251.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\309B.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/1804-155-0x0000000000FA0000-0x0000000000FA6000-memory.dmp

memory/1796-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1112-150-0x0000000000400000-0x00000000022F3000-memory.dmp

memory/5104-144-0x0000000006370000-0x0000000006532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21D1.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/3712-160-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/3336-161-0x0000000004030000-0x00000000040CA000-memory.dmp

memory/3336-162-0x00000000040D0000-0x00000000041EB000-memory.dmp

memory/3712-164-0x0000000005150000-0x0000000005160000-memory.dmp

memory/2364-168-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3251.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/2364-165-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2308-166-0x0000000003EE0000-0x0000000003F78000-memory.dmp

memory/2364-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1408-173-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1408-174-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21D1.exe

MD5 e73d322cdac5ae653a24ff15c18a019f
SHA1 085fc3562991a00b4ebbce4e8436f3d02c91b0b3
SHA256 e0f8d55f7a4c07f3d3ba70f0ed29666fc3751b1a8529dd275e62706a2e8c68d3
SHA512 b95c7046b0e5bfa48fe4af806357230d7836f2068eb1152ff99d77da9557ccae28f276b56bc11909f7c979af963adcf2952dcb258f0797463a443e76ef1a74e0

memory/1408-176-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2364-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/672-178-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/1372-179-0x0000000008550000-0x0000000008566000-memory.dmp

memory/672-183-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/1112-182-0x0000000000400000-0x00000000022F3000-memory.dmp

memory/3452-187-0x00007FF8DAB30000-0x00007FF8DB5F1000-memory.dmp

memory/1800-188-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2364-189-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3251.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/3200-193-0x00000000040A0000-0x0000000004135000-memory.dmp

memory/3452-194-0x0000023066660000-0x0000023066670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3251.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/1872-197-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1872-199-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1872-202-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 7f305d024899e4809fb6f4ae00da304c
SHA1 f88a0812d36e0562ede3732ab511f459a09faff8
SHA256 8fe1088ad55d05a3c2149648c8c1ce55862e925580308afe4a4ff6cfb089c769
SHA512 bc40698582400427cd47cf80dcf39202a74148b69ed179483160b4023368d53301fa12fe6d530d9c7cdfe5f78d19ee87a285681f537950334677f8af8dfeb2ae

memory/5104-205-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2168-210-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/3712-211-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/672-212-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/672-213-0x0000000004E40000-0x0000000004E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/672-215-0x0000000074300000-0x0000000074AB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\rgdtgiv

MD5 1a8b0853338c0e0eab5d13746038fae9
SHA1 3132faa6943319d0d6a29940698c2fc39fb89062
SHA256 947fb340a672bd684a18ab7aeb7fe28cd9f2eee3c0de99c205f3a4a39aad12c0
SHA512 f2c27edad737d0bc82309bb8fe723fd43fa04a320928ab115fcaba1751a81a6d36ea0ccfd4e5eda6aa520f3afd31047630b6c3eb2387a8d9d4d79ba0c3b99cd4

memory/1804-220-0x0000000002C20000-0x0000000002D43000-memory.dmp

memory/1804-221-0x0000000002D50000-0x0000000002E57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4