Malware Analysis Report

2025-04-14 07:51

Sample ID 230914-ckwmdabe28
Target b5c3da97ab0ab6d2b1ebc0928fe33dec.bin
SHA256 76834819a9bbe0fbd2a22ae7f298bf70a53dd292c65247567b65fcd5fa082878
Tags
amadey djvu redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) lux3 smokiez_build backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan pub1
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76834819a9bbe0fbd2a22ae7f298bf70a53dd292c65247567b65fcd5fa082878

Threat Level: Known bad

The file b5c3da97ab0ab6d2b1ebc0928fe33dec.bin was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) lux3 smokiez_build backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan pub1

Detected Djvu ransomware

RedLine

Amadey

Vidar

Djvu Ransomware

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks computer location settings

Modifies file permissions

Themida packer

Deletes itself

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks installed software on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Modifies system certificate store

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 02:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 02:08

Reported

2023-09-14 02:11

Platform

win7-20230831-en

Max time kernel

122s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EB98.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EB98.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EB98.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c3e0a4d3-6e8b-487f-8295-9cacd16e7012\\E476.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E476.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\EB98.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EB98.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\E476.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\E476.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\E476.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\E476.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\E476.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EB98.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 1372 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 1372 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 1372 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 1372 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB98.exe
PID 1372 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB98.exe
PID 1372 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB98.exe
PID 1372 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB98.exe
PID 1372 wrote to memory of 808 N/A N/A C:\Users\Admin\AppData\Local\Temp\F394.exe
PID 1372 wrote to memory of 808 N/A N/A C:\Users\Admin\AppData\Local\Temp\F394.exe
PID 1372 wrote to memory of 808 N/A N/A C:\Users\Admin\AppData\Local\Temp\F394.exe
PID 1372 wrote to memory of 808 N/A N/A C:\Users\Admin\AppData\Local\Temp\F394.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\F394.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1372 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B31.exe
PID 1372 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B31.exe
PID 1372 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B31.exe
PID 1372 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B31.exe
PID 1372 wrote to memory of 824 N/A N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe
PID 1372 wrote to memory of 824 N/A N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe
PID 1372 wrote to memory of 824 N/A N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe
PID 1372 wrote to memory of 824 N/A N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe
PID 2468 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Windows\SysWOW64\icacls.exe
PID 2468 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Windows\SysWOW64\icacls.exe
PID 2468 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Windows\SysWOW64\icacls.exe
PID 2468 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Windows\SysWOW64\icacls.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 824 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\21A8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2468 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2468 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2468 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2468 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe
PID 2340 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\E476.exe C:\Users\Admin\AppData\Local\Temp\E476.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe

"C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe"

C:\Users\Admin\AppData\Local\Temp\E476.exe

C:\Users\Admin\AppData\Local\Temp\E476.exe

C:\Users\Admin\AppData\Local\Temp\E476.exe

C:\Users\Admin\AppData\Local\Temp\E476.exe

C:\Users\Admin\AppData\Local\Temp\EB98.exe

C:\Users\Admin\AppData\Local\Temp\EB98.exe

C:\Users\Admin\AppData\Local\Temp\F394.exe

C:\Users\Admin\AppData\Local\Temp\F394.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1B31.exe

C:\Users\Admin\AppData\Local\Temp\1B31.exe

C:\Users\Admin\AppData\Local\Temp\21A8.exe

C:\Users\Admin\AppData\Local\Temp\21A8.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c3e0a4d3-6e8b-487f-8295-9cacd16e7012" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\E476.exe

"C:\Users\Admin\AppData\Local\Temp\E476.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E476.exe

"C:\Users\Admin\AppData\Local\Temp\E476.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\38F0.exe

C:\Users\Admin\AppData\Local\Temp\38F0.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\6483.exe

C:\Users\Admin\AppData\Local\Temp\6483.exe

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\6483.exe

C:\Users\Admin\AppData\Local\Temp\6483.exe

C:\Users\Admin\AppData\Local\Temp\7749.exe

C:\Users\Admin\AppData\Local\Temp\7749.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7EF8.exe

C:\Users\Admin\AppData\Local\Temp\7EF8.exe

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe

"C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe"

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe

"C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe"

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build3.exe

"C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\6483.exe

"C:\Users\Admin\AppData\Local\Temp\6483.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6483.exe

"C:\Users\Admin\AppData\Local\Temp\6483.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\A08D.exe

C:\Users\Admin\AppData\Local\Temp\A08D.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {369DCEF6-DED8-4140-B186-5FAF0ECC7B5C} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AB38.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AB38.dll

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\egtibrb

C:\Users\Admin\AppData\Roaming\egtibrb

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\a387c8f4-939f-4af6-8074-0801e8dd2aee\build2.exe

"C:\Users\Admin\AppData\Local\a387c8f4-939f-4af6-8074-0801e8dd2aee\build2.exe"

C:\Users\Admin\AppData\Local\a387c8f4-939f-4af6-8074-0801e8dd2aee\build3.exe

"C:\Users\Admin\AppData\Local\a387c8f4-939f-4af6-8074-0801e8dd2aee\build3.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.1:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
PA 181.197.76.240:80 colisumy.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:80 194.169.175.232 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
PA 181.197.76.240:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MD 176.123.9.142:14845 tcp
GB 51.38.95.107:42494 tcp
NL 194.169.175.232:45450 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
NL 162.0.217.254:443 api.2ip.ua tcp
PA 181.197.76.240:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
RO 109.98.58.98:80 zexeq.com tcp
NL 194.169.175.232:80 194.169.175.232 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
BG 193.42.32.101:80 193.42.32.101 tcp
NL 194.169.175.232:45450 tcp
RO 109.98.58.98:80 zexeq.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 login-sofi.4dq.com udp
US 2.18.121.136:80 apps.identrust.com tcp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 t.me udp
US 38.181.25.43:3325 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 95.214.27.254:80 tcp
US 95.214.27.254:80 tcp
US 95.214.27.254:80 tcp
PA 181.197.76.240:80 colisumy.com tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 211.181.24.132:80 zexeq.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp

Files

memory/2968-0-0x0000000000220000-0x0000000000235000-memory.dmp

memory/2968-1-0x0000000000240000-0x0000000000249000-memory.dmp

memory/2968-2-0x0000000000400000-0x0000000002083000-memory.dmp

memory/1372-3-0x0000000002690000-0x00000000026A6000-memory.dmp

memory/2968-7-0x0000000000240000-0x0000000000249000-memory.dmp

memory/2968-4-0x0000000000400000-0x0000000002083000-memory.dmp

memory/2968-8-0x0000000000220000-0x0000000000235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2300-18-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/2300-19-0x0000000000340000-0x00000000003D2000-memory.dmp

\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2468-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2300-20-0x0000000003C40000-0x0000000003D5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2468-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2468-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2468-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB98.exe

MD5 1b67e388efc2b48f047e9eeb16edcef2
SHA1 2c5ddc2006c38caed1adab80df1e5a370821b47f
SHA256 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1
SHA512 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94

memory/2916-34-0x0000000000C80000-0x0000000001522000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F394.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/2916-46-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-47-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-48-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-51-0x00000000760E0000-0x0000000076127000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F394.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/2916-52-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-53-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-54-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-55-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-56-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-57-0x00000000760E0000-0x0000000076127000-memory.dmp

memory/2916-59-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-60-0x00000000760E0000-0x0000000076127000-memory.dmp

memory/2916-61-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-65-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-64-0x00000000760E0000-0x0000000076127000-memory.dmp

memory/2916-63-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-66-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-68-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2640-67-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2916-70-0x00000000760E0000-0x0000000076127000-memory.dmp

memory/2640-71-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2916-72-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2640-74-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2640-75-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2640-76-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B31.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

C:\Users\Admin\AppData\Local\Temp\1B31.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

memory/2640-79-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2916-86-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2640-85-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2640-88-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2916-89-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-90-0x0000000075F50000-0x0000000076060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2010.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2008-101-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2008-100-0x0000000000250000-0x0000000000280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21A8.exe

MD5 24f97033c62127b816fe4733b9b8a3f0
SHA1 bd8a47ad195de6fa694a6b8de214a7d06b516824
SHA256 f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612
SHA512 c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a

memory/2916-110-0x0000000000C80000-0x0000000001522000-memory.dmp

memory/2916-113-0x0000000077530000-0x0000000077532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2486.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2916-117-0x0000000075F50000-0x0000000076060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B31.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

memory/2008-133-0x0000000073C80000-0x000000007436E000-memory.dmp

memory/2008-134-0x0000000000490000-0x0000000000496000-memory.dmp

memory/2916-135-0x0000000073C80000-0x000000007436E000-memory.dmp

memory/2916-136-0x0000000000C80000-0x0000000001522000-memory.dmp

memory/2640-138-0x0000000073C80000-0x000000007436E000-memory.dmp

memory/2640-137-0x00000000004B0000-0x00000000004B6000-memory.dmp

memory/2916-139-0x00000000760E0000-0x0000000076127000-memory.dmp

memory/2916-140-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2108-142-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-143-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-144-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-147-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-146-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2108-149-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2916-151-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-153-0x00000000760E0000-0x0000000076127000-memory.dmp

memory/2108-152-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-154-0x00000000003E0000-0x00000000003E6000-memory.dmp

C:\Users\Admin\AppData\Local\c3e0a4d3-6e8b-487f-8295-9cacd16e7012\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2108-156-0x0000000073C80000-0x000000007436E000-memory.dmp

\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2468-159-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2340-165-0x0000000000310000-0x00000000003A2000-memory.dmp

\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\E476.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1860-186-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38F0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2340-185-0x0000000000310000-0x00000000003A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38F0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 77eaa701ef1d93de387a674e7b18dafa
SHA1 5233d60c9027a9b5e38e9c50c4bb9de91ae2485b
SHA256 d52b7678bbf9d4a25365a5d316ac395b9b98937933aea0bcb5b806ab23ba29f7
SHA512 8ea3a001aa95e11870dadc31007393320aa7bcc937ef76ca9ee69d362369a7da2a855a8026e8aa717a2486ba49d13ab368707befb06c97fc99211b6b95ad9cf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 13bdc8ff61b97a5102e8112479d5747c
SHA1 99d7c4eeca3e3bda157d75a7d26657130be9a02a
SHA256 b50f188a7ff4749eb53fbd6df860678af7ed3c46d3798f62d7932b81334d7849
SHA512 025a8163543184c12aad324eca08dab93bc29267ea49e818cc30d5bfabaadd90a228482bdf1b36531b0fba84249faa3ad317047f69a8c0f22e58526bc78e3053

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8f785eb3a53bb268add2a3c13cdced4
SHA1 9489c7940ae2f287a94383b404c02f9aaa5854b1
SHA256 5eb2135147a8f540335be38e4c0fece99497a72b952cd79241aa67c03c7546ac
SHA512 309e66577d4422023dc73b1681751736d9a58c6d2200ea8f642f92f9ca215165670900575a398e92130c7c2a37b1ba7b959b834bdb4649caaa94fef7ee196d34

memory/1860-233-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/1860-234-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\Temp\6483.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/2512-254-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6483.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

\Users\Admin\AppData\Local\Temp\6483.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2512-262-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6483.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2916-264-0x0000000000590000-0x00000000005AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7749.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/1860-272-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1860-274-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\7EF8.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\Local\Temp\7EF8.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\Local\Temp\7EF8.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\c270b4b6-75a6-44d9-81ce-a17a19470934\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/1652-332-0x00000000027C2000-0x00000000027F1000-memory.dmp

memory/940-334-0x0000000000DE0000-0x0000000000EA0000-memory.dmp

memory/1652-335-0x0000000000220000-0x0000000000271000-memory.dmp

\Users\Admin\AppData\Local\Temp\6483.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

\Users\Admin\AppData\Local\Temp\6483.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\6483.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/1956-374-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\6483.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/276-390-0x0000000000350000-0x00000000003E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6483.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fc148e1c247774e1121e94897cf44bf
SHA1 995ac5fea9c40ab054ab3f10ce0c7d061dd387cf
SHA256 1f025fea46b1c8163f14b296e26f754193b84f567cb9b8cbf1907eb99070f15b
SHA512 a2fbae28fabef62aa6b8faa8700889359601e928400020935d8e0a00c10076607812e4d55b6c7956d0a268874c83c019bdcc2b9599b72c01a5e7fc8852a31243

memory/1756-441-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1756-444-0x00000000004A0000-0x00000000004A6000-memory.dmp

memory/2916-446-0x0000000000C80000-0x0000000001522000-memory.dmp

memory/2916-447-0x0000000075F50000-0x0000000076060000-memory.dmp

memory/2916-448-0x00000000760E0000-0x0000000076127000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18bcf5629cbe2b89649e466baf8516ac
SHA1 18fdb46873dea3800f70abbaf60d9a8ce7486322
SHA256 6b179ca317a560e671609eef6d1656ead3ff1262a5f7b34888169302f4b4046f
SHA512 bf41c8069ea19ddb73eeeb4dfda6a9bed8585c71800066e3b77eed1f4375ae3f84eb859808dca206f59e0aa92a09c84e96f74441a2f9e8bde081d05ce870e4c6

memory/2916-450-0x0000000073C80000-0x000000007436E000-memory.dmp

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 e3c640eced72a28f10eac99da233d9fd
SHA1 1d7678afc24a59de1da0bf74126baf3b8540b5b0
SHA256 87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e
SHA512 bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7

C:\SystemID\PersonalID.txt

MD5 324770a7653f940b6e66d90455f6e1a8
SHA1 5b9edb85029710a458f7a77f474721307d2fb738
SHA256 9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30
SHA512 48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23

C:\Users\Admin\AppData\Local\Temp\A08D.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\A08D.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\AB38.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d167eeef99e57370b062caefd4837ff2
SHA1 a02471a9766760432b674767e4c358d25cd326b2
SHA256 d9c83806f03c1a8d824636fcb7ca0bff889b03d0dad44858e23181a6fc4c9e78
SHA512 cd873a40ef9bc85e03d3f98f439197a5f4d542c346594d3bb1e5377d7f533511ee968f78aa772a48d4726d08fb47560fe666559d29fe5298e2b289ec37ccf78c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d167eeef99e57370b062caefd4837ff2
SHA1 a02471a9766760432b674767e4c358d25cd326b2
SHA256 d9c83806f03c1a8d824636fcb7ca0bff889b03d0dad44858e23181a6fc4c9e78
SHA512 cd873a40ef9bc85e03d3f98f439197a5f4d542c346594d3bb1e5377d7f533511ee968f78aa772a48d4726d08fb47560fe666559d29fe5298e2b289ec37ccf78c

\Users\Admin\AppData\Local\Temp\AB38.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d167eeef99e57370b062caefd4837ff2
SHA1 a02471a9766760432b674767e4c358d25cd326b2
SHA256 d9c83806f03c1a8d824636fcb7ca0bff889b03d0dad44858e23181a6fc4c9e78
SHA512 cd873a40ef9bc85e03d3f98f439197a5f4d542c346594d3bb1e5377d7f533511ee968f78aa772a48d4726d08fb47560fe666559d29fe5298e2b289ec37ccf78c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f9d67d3c1aff9abe1b2749ef2874abb
SHA1 eccdbd66a6134992d0ee534cdcad1d8d8b77686e
SHA256 447872f8d180ffb259cb894f7efe92e8b4032cf6464c143314fdfd8907377fd2
SHA512 7340f8544747d0f4926e662103ba0b631eba9ce3addf4ed8f900852bdb82819f7e94b6b70f650d18ede21d40b2b8fa25c0c72272bd5e9a00a37feeb28aaf006c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1a2aec1869a3915e6e9bcb82224efea
SHA1 3652f8c9490aaef411749fc71a328659f56b8731
SHA256 7a2ce758d519929af6048de9e988bec7f212ebbab2c9f8046572fc986a71963d
SHA512 b383fa2cc4c36200dc0236cca32acd1254d82551b749f5dc13a9da805e4e93dede89d966b7baced074a20a488bd69099c029ded4425a0cff5910dcd3587a9146

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1a2aec1869a3915e6e9bcb82224efea
SHA1 3652f8c9490aaef411749fc71a328659f56b8731
SHA256 7a2ce758d519929af6048de9e988bec7f212ebbab2c9f8046572fc986a71963d
SHA512 b383fa2cc4c36200dc0236cca32acd1254d82551b749f5dc13a9da805e4e93dede89d966b7baced074a20a488bd69099c029ded4425a0cff5910dcd3587a9146

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/940-549-0x00000000001C0000-0x00000000001C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\egtibrb

MD5 b5c3da97ab0ab6d2b1ebc0928fe33dec
SHA1 39dacc25e0634aa4a33b4a9bc6e8450a9aead5cf
SHA256 7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009
SHA512 b9c5e3cefba6a00fccf87690717cd6e3b499789b0cf8df14e5786bf5822522927b7f9959421e6f4f266ce4568ce1a5d62a38b3019cd4b8dcca7a48faff60b2c2

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 02:08

Reported

2023-09-14 02:11

Platform

win10v2004-20230831-en

Max time kernel

136s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EA3D.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EA3D.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EA3D.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F6A5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1AEC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\888.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E683.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c2ebf148-57c0-4713-b46c-efc60e68e4fd\\E683.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E683.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\EA3D.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA3D.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\151E.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\151E.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\151E.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EE27.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3140 wrote to memory of 3056 N/A N/A C:\Users\Admin\AppData\Local\Temp\E683.exe
PID 3140 wrote to memory of 3056 N/A N/A C:\Users\Admin\AppData\Local\Temp\E683.exe
PID 3140 wrote to memory of 3056 N/A N/A C:\Users\Admin\AppData\Local\Temp\E683.exe
PID 3140 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA3D.exe
PID 3140 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA3D.exe
PID 3140 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA3D.exe
PID 3140 wrote to memory of 1020 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe
PID 3140 wrote to memory of 1020 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe
PID 3140 wrote to memory of 1020 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe
PID 3140 wrote to memory of 3444 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE27.exe
PID 3140 wrote to memory of 3444 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE27.exe
PID 3140 wrote to memory of 3444 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE27.exe
PID 3140 wrote to memory of 2176 N/A N/A C:\Users\Admin\AppData\Local\Temp\F135.exe
PID 3140 wrote to memory of 2176 N/A N/A C:\Users\Admin\AppData\Local\Temp\F135.exe
PID 3140 wrote to memory of 2176 N/A N/A C:\Users\Admin\AppData\Local\Temp\F135.exe
PID 3140 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6A5.exe
PID 3140 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6A5.exe
PID 3140 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\Temp\F6A5.exe
PID 4468 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\F6A5.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4468 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\F6A5.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4468 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\F6A5.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 840 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\888.exe
PID 3140 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\888.exe
PID 3140 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\888.exe
PID 1020 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1020 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3140 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\B38.exe
PID 3140 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\B38.exe
PID 3140 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\B38.exe
PID 2176 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\F135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\F135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\F135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\F135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\F135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\F135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\F135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\F135.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3140 wrote to memory of 4896 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE.exe
PID 3140 wrote to memory of 4896 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAE.exe
PID 3140 wrote to memory of 5044 N/A N/A C:\Users\Admin\AppData\Local\Temp\151E.exe
PID 3140 wrote to memory of 5044 N/A N/A C:\Users\Admin\AppData\Local\Temp\151E.exe
PID 3140 wrote to memory of 5044 N/A N/A C:\Users\Admin\AppData\Local\Temp\151E.exe
PID 3140 wrote to memory of 1356 N/A N/A C:\Users\Admin\AppData\Local\Temp\1AEC.exe
PID 3140 wrote to memory of 1356 N/A N/A C:\Users\Admin\AppData\Local\Temp\1AEC.exe
PID 3140 wrote to memory of 1356 N/A N/A C:\Users\Admin\AppData\Local\Temp\1AEC.exe
PID 1860 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2364 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3140 wrote to memory of 2364 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2364 wrote to memory of 4920 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2364 wrote to memory of 4920 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe

"C:\Users\Admin\AppData\Local\Temp\7cdaf3cc93e1a883c7439e9cbf1988a35f5bb2d98fa2b1910bfdce521d27d009.exe"

C:\Users\Admin\AppData\Local\Temp\E683.exe

C:\Users\Admin\AppData\Local\Temp\E683.exe

C:\Users\Admin\AppData\Local\Temp\EA3D.exe

C:\Users\Admin\AppData\Local\Temp\EA3D.exe

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

C:\Users\Admin\AppData\Local\Temp\EE27.exe

C:\Users\Admin\AppData\Local\Temp\EE27.exe

C:\Users\Admin\AppData\Local\Temp\F135.exe

C:\Users\Admin\AppData\Local\Temp\F135.exe

C:\Users\Admin\AppData\Local\Temp\F6A5.exe

C:\Users\Admin\AppData\Local\Temp\F6A5.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\888.exe

C:\Users\Admin\AppData\Local\Temp\888.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\B38.exe

C:\Users\Admin\AppData\Local\Temp\B38.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\FAE.exe

C:\Users\Admin\AppData\Local\Temp\FAE.exe

C:\Users\Admin\AppData\Local\Temp\151E.exe

C:\Users\Admin\AppData\Local\Temp\151E.exe

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1E0A.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1E0A.dll

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\E683.exe

C:\Users\Admin\AppData\Local\Temp\E683.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\888.exe

C:\Users\Admin\AppData\Local\Temp\888.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c2ebf148-57c0-4713-b46c-efc60e68e4fd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

"C:\Users\Admin\AppData\Local\Temp\1AEC.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\888.exe

"C:\Users\Admin\AppData\Local\Temp\888.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\888.exe

"C:\Users\Admin\AppData\Local\Temp\888.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

"C:\Users\Admin\AppData\Local\Temp\1AEC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1260 -ip 1260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4228 -ip 4228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 568

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\E683.exe

"C:\Users\Admin\AppData\Local\Temp\E683.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E683.exe

"C:\Users\Admin\AppData\Local\Temp\E683.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3848 -ip 3848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 572

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 211.181.24.133:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 133.24.181.211.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
KR 211.181.24.133:80 colisumy.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
NL 194.169.175.232:80 194.169.175.232 tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
NL 194.169.175.232:45450 tcp
US 8.8.8.8:53 login-sofi.4dq.com udp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 147.249.79.45.in-addr.arpa udp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:45450 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 gudintas.at udp
MX 189.194.9.27:80 gudintas.at tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
MX 189.194.9.27:80 gudintas.at tcp
US 8.8.8.8:53 27.9.194.189.in-addr.arpa udp
MX 189.194.9.27:80 gudintas.at tcp
MX 189.194.9.27:80 gudintas.at tcp
MX 189.194.9.27:80 gudintas.at tcp
MX 189.194.9.27:80 gudintas.at tcp
MX 189.194.9.27:80 gudintas.at tcp
MX 189.194.9.27:80 gudintas.at tcp
MX 189.194.9.27:80 gudintas.at tcp
MX 189.194.9.27:80 gudintas.at tcp
MX 189.194.9.27:80 gudintas.at tcp

Files

memory/2568-0-0x0000000003DE0000-0x0000000003DF5000-memory.dmp

memory/2568-1-0x0000000002230000-0x0000000002239000-memory.dmp

memory/2568-2-0x0000000000400000-0x0000000002083000-memory.dmp

memory/3140-3-0x0000000002D20000-0x0000000002D36000-memory.dmp

memory/2568-4-0x0000000000400000-0x0000000002083000-memory.dmp

memory/2568-7-0x0000000003DE0000-0x0000000003DF5000-memory.dmp

memory/2568-8-0x0000000002230000-0x0000000002239000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E683.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\E683.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\EA3D.exe

MD5 1b67e388efc2b48f047e9eeb16edcef2
SHA1 2c5ddc2006c38caed1adab80df1e5a370821b47f
SHA256 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1
SHA512 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94

memory/2188-21-0x0000000000950000-0x00000000011F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA3D.exe

MD5 1b67e388efc2b48f047e9eeb16edcef2
SHA1 2c5ddc2006c38caed1adab80df1e5a370821b47f
SHA256 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1
SHA512 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94

memory/2188-22-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/2188-23-0x0000000076C90000-0x0000000076D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/2188-27-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/2188-28-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/2188-29-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/2188-31-0x0000000077314000-0x0000000077316000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE27.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

C:\Users\Admin\AppData\Local\Temp\F135.exe

MD5 24f97033c62127b816fe4733b9b8a3f0
SHA1 bd8a47ad195de6fa694a6b8de214a7d06b516824
SHA256 f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612
SHA512 c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a

C:\Users\Admin\AppData\Local\Temp\EE27.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

memory/2188-42-0x0000000000950000-0x00000000011F2000-memory.dmp

memory/3444-43-0x00000000005E0000-0x0000000000610000-memory.dmp

memory/3444-44-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2188-47-0x00000000059F0000-0x0000000005A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F6A5.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F6A5.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F135.exe

MD5 24f97033c62127b816fe4733b9b8a3f0
SHA1 bd8a47ad195de6fa694a6b8de214a7d06b516824
SHA256 f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612
SHA512 c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a

memory/3444-56-0x0000000074800000-0x0000000074FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3444-64-0x0000000004B70000-0x0000000005188000-memory.dmp

memory/3444-65-0x0000000005190000-0x000000000529A000-memory.dmp

memory/3444-66-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/2188-69-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/3444-68-0x00000000026E0000-0x000000000271C000-memory.dmp

memory/2188-67-0x0000000000950000-0x00000000011F2000-memory.dmp

memory/3444-70-0x0000000002550000-0x0000000002560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\888.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\888.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/3692-76-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2188-78-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/2188-77-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/3056-79-0x0000000003E50000-0x0000000003EEA000-memory.dmp

memory/3056-81-0x0000000004040000-0x000000000415B000-memory.dmp

memory/2188-83-0x0000000076C90000-0x0000000076D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B38.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/3692-85-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/3692-86-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/4368-87-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FAE.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\Local\Temp\B38.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

C:\Users\Admin\AppData\Local\Temp\FAE.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

memory/4896-93-0x000002377D770000-0x000002377D830000-memory.dmp

memory/4896-94-0x000002377F550000-0x000002377F56A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\151E.exe

MD5 08f32f388b42aab675eea1bf2d60d770
SHA1 e53e062934952fa51c68a9400afa631880ccebe6
SHA256 c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1
SHA512 82ebb2416b4980bd699c04233800469ac23ba68d5ba950cd91d1a950af699bbd847a883e1907527000cc7fb7d34e3dd00d8d4609fd3324964f7317a7116b5ba7

C:\Users\Admin\AppData\Local\Temp\151E.exe

MD5 08f32f388b42aab675eea1bf2d60d770
SHA1 e53e062934952fa51c68a9400afa631880ccebe6
SHA256 c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1
SHA512 82ebb2416b4980bd699c04233800469ac23ba68d5ba950cd91d1a950af699bbd847a883e1907527000cc7fb7d34e3dd00d8d4609fd3324964f7317a7116b5ba7

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\1E0A.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/2188-108-0x0000000003610000-0x0000000003625000-memory.dmp

memory/2188-107-0x0000000003610000-0x0000000003625000-memory.dmp

memory/2188-110-0x0000000003610000-0x0000000003625000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E0A.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/4920-114-0x0000000010000000-0x00000000102FA000-memory.dmp

memory/2188-113-0x0000000003610000-0x0000000003625000-memory.dmp

memory/2188-117-0x0000000003610000-0x0000000003625000-memory.dmp

memory/2188-119-0x0000000003610000-0x0000000003625000-memory.dmp

memory/2188-122-0x0000000003610000-0x0000000003625000-memory.dmp

memory/3692-123-0x0000000005C50000-0x0000000005CE2000-memory.dmp

memory/3692-125-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/2188-131-0x0000000003610000-0x0000000003625000-memory.dmp

memory/2128-130-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E683.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2128-127-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-126-0x0000000003610000-0x0000000003625000-memory.dmp

memory/3692-121-0x0000000005B30000-0x0000000005BA6000-memory.dmp

memory/2188-134-0x0000000003610000-0x0000000003625000-memory.dmp

memory/4920-136-0x0000000002930000-0x0000000002A53000-memory.dmp

memory/2128-132-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-137-0x0000000003610000-0x0000000003625000-memory.dmp

memory/2188-139-0x0000000003610000-0x0000000003625000-memory.dmp

memory/2188-141-0x0000000003610000-0x0000000003625000-memory.dmp

memory/4848-142-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2188-149-0x0000000076C90000-0x0000000076D80000-memory.dmp

memory/2188-147-0x0000000000950000-0x00000000011F2000-memory.dmp

memory/4920-148-0x0000000002A60000-0x0000000002B67000-memory.dmp

memory/4920-153-0x0000000002A60000-0x0000000002B67000-memory.dmp

memory/3444-152-0x0000000005CA0000-0x0000000006244000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\888.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2692-158-0x0000000003FF5000-0x0000000004087000-memory.dmp

memory/1640-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4368-157-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/1640-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4368-161-0x0000000005010000-0x0000000005020000-memory.dmp

memory/4896-160-0x00007FFA769A0000-0x00007FFA77461000-memory.dmp

memory/4920-163-0x0000000000B80000-0x0000000000B86000-memory.dmp

memory/4896-162-0x000002377F6D0000-0x000002377F6E0000-memory.dmp

memory/4920-164-0x0000000010000000-0x00000000102FA000-memory.dmp

memory/4368-169-0x0000000006550000-0x0000000006712000-memory.dmp

memory/1584-170-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4368-172-0x00000000089D0000-0x0000000008EFC000-memory.dmp

memory/1584-171-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/2128-174-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1640-173-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4848-175-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/1356-182-0x0000000004030000-0x00000000040D1000-memory.dmp

memory/1356-186-0x00000000040E0000-0x00000000041FB000-memory.dmp

memory/2064-189-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2064-191-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c2ebf148-57c0-4713-b46c-efc60e68e4fd\E683.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 6f4d866cddc40ea82d0add30b7e7e757
SHA1 8985224b47959f07e82ce97bd9cd4286e37e5117
SHA256 1ee7e27053d7683e3269fda4e3f7c07678d26f46fb7938111242ac5f3fa57d4f
SHA512 5ee962d8c9da20346ee68f90d1a41d96cf4a86078ccb4fb95eb91bc0cc32019d44fa6b6a05bb91969aa599751924f11fb21b9f8957f4a92fbfe8d45bc62e7b08

memory/5044-192-0x0000000000400000-0x0000000002291000-memory.dmp

memory/2064-195-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5044-196-0x0000000002320000-0x0000000002329000-memory.dmp

memory/5044-194-0x00000000024C0000-0x00000000025C0000-memory.dmp

memory/2064-187-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 ba66023af7d803864ce0de7b48ec1c47
SHA1 f896ff6a98236220fd3fb863c16d0ee250264c4f
SHA256 1df234123219231a83da7833899d232c906a857647466c71f1f00c6a54996c33
SHA512 b9884aa4d0717f3201865073a54bfe64e0b95667680a0bedee8a128eb81fb385dd13ee1480a8a78ed2c788b5348b5eab1961658ebb573582ebe0442a41d4fee0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

memory/4920-177-0x0000000002A60000-0x0000000002B67000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 d8c400934af4322f697ca0afee8a67ca
SHA1 8742a631e77cf825cf4badf80248242d37fb2feb
SHA256 ad11ae732fd7aa49419d488aab0e5befaa19861d99f5ae228aa49afcd7558e05
SHA512 3175a92d84a50a08618853f8ec0a5a2830e132b7540650de19800af3c9e7778f38cc894b0fac37e912edc7d969ac449caa7f53c247882a017c1e63cb10fea6ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 d8c400934af4322f697ca0afee8a67ca
SHA1 8742a631e77cf825cf4badf80248242d37fb2feb
SHA256 ad11ae732fd7aa49419d488aab0e5befaa19861d99f5ae228aa49afcd7558e05
SHA512 3175a92d84a50a08618853f8ec0a5a2830e132b7540650de19800af3c9e7778f38cc894b0fac37e912edc7d969ac449caa7f53c247882a017c1e63cb10fea6ee

memory/3444-205-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/3692-204-0x0000000005560000-0x00000000055B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/2064-207-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1640-209-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\888.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/3140-213-0x0000000002D70000-0x0000000002D86000-memory.dmp

memory/5044-211-0x0000000000400000-0x0000000002291000-memory.dmp

memory/3444-218-0x0000000002550000-0x0000000002560000-memory.dmp

memory/3692-220-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4964-222-0x0000000003F60000-0x0000000004002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\888.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/4368-228-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/3444-234-0x0000000074800000-0x0000000074FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1AEC.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 0eab9cbc81b630365ed87e70a3bcf348
SHA1 d6ce2097af6c58fe41f98e1b0f9c264aa552d253
SHA256 e8f1178d92ce896b5f45c707050c3e84527db102bc3687e1e7208dbd34cd7685
SHA512 1417409eee83f2c8d4a15f843374c826cc2250e23dc4d46648643d02bfbf8c463d6aa8b43274bf68be1e780f81d506948bf84903a7a1044b46b12813d67c9498

C:\Users\Admin\AppData\Local\c2ebf148-57c0-4713-b46c-efc60e68e4fd\E683.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E683.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\E683.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Roaming\hggatug

MD5 08f32f388b42aab675eea1bf2d60d770
SHA1 e53e062934952fa51c68a9400afa631880ccebe6
SHA256 c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1
SHA512 82ebb2416b4980bd699c04233800469ac23ba68d5ba950cd91d1a950af699bbd847a883e1907527000cc7fb7d34e3dd00d8d4609fd3324964f7317a7116b5ba7