Malware Analysis Report

2025-04-14 07:24

Sample ID 230914-fctdtscb83
Target file.exe
SHA256 3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b
Tags
amadey djvu redline smokeloader vidar 7b01483643983171e949f923c5bc80e7 logsdiller cloud (tg: @logsdillabot) lux3 smokiez_build backdoor discovery evasion infostealer persistence ransomware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader vidar 7b01483643983171e949f923c5bc80e7 logsdiller cloud (tg: @logsdillabot) lux3 smokiez_build backdoor discovery evasion infostealer persistence ransomware stealer themida trojan

RedLine

Detected Djvu ransomware

Vidar

Amadey

SmokeLoader

Djvu Ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Checks BIOS information in registry

Themida packer

Modifies file permissions

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 04:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 04:44

Reported

2023-09-14 04:46

Platform

win7-20230831-en

Max time kernel

42s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\B424.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\B424.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\B424.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ffc412dc-ceb3-4aac-99f2-e87b750d9a0b\\AD21.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\AD21.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\B424.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\AD21.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\AD21.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\AD21.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\AD21.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\AD21.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 1240 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 1240 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 1240 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2632 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 1240 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe
PID 1240 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe
PID 1240 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe
PID 1240 wrote to memory of 2548 N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe
PID 1240 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\B914.exe
PID 1240 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\B914.exe
PID 1240 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\B914.exe
PID 1240 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\B914.exe
PID 1240 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC40.exe
PID 1240 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC40.exe
PID 1240 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC40.exe
PID 1240 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC40.exe
PID 2792 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Windows\SysWOW64\icacls.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1240 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe
PID 1240 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe
PID 1240 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe
PID 1240 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1772 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B914.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 856 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\C21B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2792 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2792 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2792 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2264 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe
PID 2264 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\AD21.exe C:\Users\Admin\AppData\Local\Temp\AD21.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\AD21.exe

C:\Users\Admin\AppData\Local\Temp\AD21.exe

C:\Users\Admin\AppData\Local\Temp\AD21.exe

C:\Users\Admin\AppData\Local\Temp\AD21.exe

C:\Users\Admin\AppData\Local\Temp\B424.exe

C:\Users\Admin\AppData\Local\Temp\B424.exe

C:\Users\Admin\AppData\Local\Temp\B914.exe

C:\Users\Admin\AppData\Local\Temp\B914.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ffc412dc-ceb3-4aac-99f2-e87b750d9a0b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\BC40.exe

C:\Users\Admin\AppData\Local\Temp\BC40.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\C21B.exe

C:\Users\Admin\AppData\Local\Temp\C21B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\AD21.exe

"C:\Users\Admin\AppData\Local\Temp\AD21.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AD21.exe

"C:\Users\Admin\AppData\Local\Temp\AD21.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D9C1.exe

C:\Users\Admin\AppData\Local\Temp\D9C1.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe"

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe

"C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe"

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe

"C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe"

C:\Users\Admin\AppData\Local\Temp\E1.exe

C:\Users\Admin\AppData\Local\Temp\E1.exe

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build3.exe

"C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build3.exe"

C:\Users\Admin\AppData\Local\Temp\E1.exe

C:\Users\Admin\AppData\Local\Temp\E1.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3A99ADE6-0DDD-4C69-85E6-4FE275A3F68D} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\4207.exe

C:\Users\Admin\AppData\Local\Temp\4207.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\56C0.exe

C:\Users\Admin\AppData\Local\Temp\56C0.exe

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7CD9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7CD9.dll

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

"C:\Users\Admin\AppData\Local\Temp\6DCB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

"C:\Users\Admin\AppData\Local\Temp\6DCB.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MX 201.124.224.61:80 colisumy.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:80 194.169.175.232 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MX 201.124.224.61:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
RU 79.137.192.18:80 79.137.192.18 tcp
MX 201.124.224.61:80 colisumy.com tcp
AR 190.139.250.133:80 zexeq.com tcp
NL 194.169.175.232:45450 tcp
MD 176.123.9.142:14845 tcp
AR 190.139.250.133:80 zexeq.com tcp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 t.me udp
US 2.18.121.136:80 apps.identrust.com tcp
US 95.214.27.254:80 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 login-sofi.4dq.com udp
NL 149.154.167.99:443 t.me tcp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 95.214.27.254:80 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 95.214.27.254:80 tcp

Files

memory/1680-1-0x0000000000270000-0x0000000000370000-memory.dmp

memory/1680-2-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/1680-3-0x0000000000400000-0x0000000002290000-memory.dmp

memory/1240-4-0x0000000002A30000-0x0000000002A46000-memory.dmp

memory/1680-5-0x0000000000400000-0x0000000002290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2632-17-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2632-18-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2632-19-0x0000000003BA0000-0x0000000003CBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2792-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2792-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B424.exe

MD5 1b67e388efc2b48f047e9eeb16edcef2
SHA1 2c5ddc2006c38caed1adab80df1e5a370821b47f
SHA256 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1
SHA512 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94

memory/2548-40-0x00000000008B0000-0x0000000001152000-memory.dmp

memory/2548-41-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-51-0x0000000075C90000-0x0000000075DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB618.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2548-52-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-60-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-66-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-65-0x0000000076380000-0x00000000763C7000-memory.dmp

memory/2548-63-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-67-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-68-0x0000000075C90000-0x0000000075DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B914.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/2548-69-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-71-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-70-0x0000000075C90000-0x0000000075DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC40.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

C:\Users\Admin\AppData\Local\Temp\BC40.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

C:\Users\Admin\AppData\Local\Temp\TarBBE5.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2548-74-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-73-0x00000000771C0000-0x00000000771C2000-memory.dmp

memory/2548-72-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/1672-95-0x0000000000260000-0x0000000000290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC40.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

memory/2548-101-0x00000000008B0000-0x0000000001152000-memory.dmp

memory/560-104-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C21B.exe

MD5 24f97033c62127b816fe4733b9b8a3f0
SHA1 bd8a47ad195de6fa694a6b8de214a7d06b516824
SHA256 f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612
SHA512 c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a

memory/1672-105-0x0000000000690000-0x0000000000696000-memory.dmp

memory/560-108-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-107-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-109-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-110-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/560-111-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-113-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-115-0x0000000000400000-0x0000000000430000-memory.dmp

memory/560-117-0x00000000003E0000-0x00000000003E6000-memory.dmp

memory/2548-118-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/1672-119-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/560-120-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/1672-121-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\ffc412dc-ceb3-4aac-99f2-e87b750d9a0b\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/1620-126-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1620-125-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1620-124-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2792-131-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-130-0x00000000026B0000-0x00000000026F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2264-134-0x0000000000350000-0x00000000003E2000-memory.dmp

memory/2264-135-0x0000000000350000-0x00000000003E2000-memory.dmp

\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\AD21.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2092-142-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-143-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-144-0x0000000075C90000-0x0000000075DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D9C1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\D9C1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2548-171-0x0000000075C90000-0x0000000075DA0000-memory.dmp

memory/2548-173-0x0000000076380000-0x00000000763C7000-memory.dmp

memory/2548-174-0x0000000075C90000-0x0000000075DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 26fa76fee02f3404ca8f129b569e327c
SHA1 6f12b921204a4e3c6e920e9011d61ae4fb55a2e3
SHA256 b5061735178dd388b692b9da34adfaac87f2fde5e769b98b9772b110e2436b33
SHA512 817019216627ea09dbeafe600a29055ebe45ab5a9b6efa3bb8221a816263ba21c959fca4c2b71b87103242177e8e153f7eaa9fe4f5b5db21ffa979790c8d1cc8

memory/2548-170-0x0000000075C90000-0x0000000075DA0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 665617a661543a8ffd543f804129a903
SHA1 b1d6f903d30c7de4ce9f96bfb0a83fd386f9be4f
SHA256 ec8464d301ddd90cbcc19d9ef4029eb0d3d3f92ad2000da636ba1eea29a6c477
SHA512 127a21ab02092bc8721c0f8c0864a4a96fba3a1fd085cbdfd42e2bce809c7f729c9a972e1fc09198a9fca040d86fd71a71f0f9c488e2f6462229118eb09245da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 3d38b28a3b5fc2ecba404ac798eaba6a
SHA1 8f81b3bd3530d5f014352fb579c09c191a019301
SHA256 14bdc437381b8f5347bdb21c02816ed3d4316f107655f2df44c4d3eab4bdb0e4
SHA512 e4d8e26c6c22b49e9db0fd5518124d5007caf575de4c5be1a4ad5843ef0b69427c94f19bc5aa00334ebdfbc7353c32df80149b632ac0dc8bf18d099bad64ca2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

memory/2092-175-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-176-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-177-0x0000000073B40000-0x000000007422E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/2092-187-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-189-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/2092-201-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/1672-209-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/2092-193-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/560-212-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/1596-214-0x00000000FF100000-0x00000000FF138000-memory.dmp

memory/2828-223-0x0000000002460000-0x0000000002560000-memory.dmp

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\Temp\E1.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/2828-215-0x0000000000220000-0x0000000000271000-memory.dmp

memory/2632-234-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/2740-230-0x0000000000270000-0x0000000000302000-memory.dmp

memory/2740-227-0x0000000000270000-0x0000000000302000-memory.dmp

memory/2632-226-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2548-243-0x0000000000870000-0x000000000088C000-memory.dmp

memory/2092-242-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\E1.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

\Users\Admin\AppData\Local\Temp\E1.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\50265e6e-9b15-430e-a7f4-0b22b3c5a1ab\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/560-249-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2092-251-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1672-252-0x0000000004870000-0x00000000048B0000-memory.dmp

memory/2548-257-0x0000000000870000-0x0000000000885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4207.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/2548-258-0x0000000000870000-0x0000000000885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4207.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

\Users\Admin\AppData\Local\Temp\56C0.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\Local\Temp\56C0.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\Local\Temp\56C0.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

memory/2608-308-0x0000000000A70000-0x0000000000B30000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbbdff0a3cb42af64595acf1af267418
SHA1 275f09f9390f4c61222e089cdac9c2366b8b50d6
SHA256 4937b961522e1a404c67e6ceccbd54148c42f90fa2624dcd59bf5b9f52618fea
SHA512 f486f947e8dda69ebf7afaa05a73e7b0ca9ae79b16d5138ad8f128ef54a37197c1dd19bdbf0d745b5efa3a134d0ed2896edcc63a188b57d8e8f000cfdbe7a28d

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/2340-342-0x0000000002380000-0x0000000002411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/2340-350-0x0000000002380000-0x0000000002411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/2340-361-0x0000000003C10000-0x0000000003D2B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0b9940c33903f634eaa74b7d935074e
SHA1 6202c98d624e2b16c9079f313739dc1dcd0b11ae
SHA256 9e5659ff2912cd7480063324a37392f4566c7c7238099740d64636a9bb0b6fd5
SHA512 acddc6426d77d88fd56766a6cf27ed624065ce4993151c0bce1e1908f665c99b2a98a84bd359e687281738d7e98b4ef9533f93af5eb41d8eed4a326b10189287

C:\Users\Admin\AppData\Local\Temp\7CD9.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

\Users\Admin\AppData\Local\Temp\7CD9.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0237bdc2b532d6be1458fa2d17daecf
SHA1 3286409fd6e7957dddf587ad3a2b2a5211f8b6a7
SHA256 212f490b0553f77bf9ff6a458093cdbb3098ab47fe38818a26e2306992c400aa
SHA512 91b022cce61ef421e2a6955ecaf1cdc393b11f590b56c4d1102ad2494d976aacce7856462c5198d427c99316eef48a44e460736402e977fa6bde9dc61e0cac57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8052f535c1a6b3495d8a40dcffd29ab
SHA1 be37713141502f336ae55b3c9ebd3102064e26bd
SHA256 09a595c052b62c9e1f7bd1de44704c8abfb1b884d28e78d6c7bdf963f37c1151
SHA512 ba3583858b4a5b7b4887d713307c61849b778599b6339e36725f56e265fb4934154852f923417cf56334aa09c4be288e7035d6aaf65b14a7b0268b34294ae8fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8052f535c1a6b3495d8a40dcffd29ab
SHA1 be37713141502f336ae55b3c9ebd3102064e26bd
SHA256 09a595c052b62c9e1f7bd1de44704c8abfb1b884d28e78d6c7bdf963f37c1151
SHA512 ba3583858b4a5b7b4887d713307c61849b778599b6339e36725f56e265fb4934154852f923417cf56334aa09c4be288e7035d6aaf65b14a7b0268b34294ae8fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1490de4e88a2793d207dcbad3ebe0ba7
SHA1 ef916da0fe0297ddf49bc1d0d8fd6b0373522547
SHA256 fd064eb7b66e897ba27ac7327fedabb1a90fc5e650a94a9f65242ac6a42f41eb
SHA512 4986e2674f5e6ae637b445d8a399a9ece9a253ed4ba1222dcfb4980a10cdea0a423f52040f0ae71dbbcc2658da65f36168ec7a5de7f26317f5c15fd48f28f2db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d77ee27dbc516992f39d9793f4b53c1c
SHA1 fdaea936339e2fa4eeab186c1801c331c4c8d4b9
SHA256 9b768e655f62d757bf62ef0ffb3dcb3a6eaeeeda40529c07f8122c5adb56f0e1
SHA512 72b495ea16e084ddba52bf4ac1191580d31bd567b68fb583ab33a17da1ffc6caf1bcd1617dcd38a4278ac2cb0ced0706984bb6db6e8a2529a2ceb87078f39d4e

\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/944-477-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/1356-486-0x0000000000260000-0x00000000002F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DCB.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/2608-499-0x0000000000350000-0x0000000000358000-memory.dmp

memory/2608-500-0x00000000004E0000-0x00000000004FA000-memory.dmp

memory/2608-501-0x0000000000360000-0x0000000000366000-memory.dmp

memory/2608-504-0x000000001A790000-0x000000001A818000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 04:44

Reported

2023-09-14 04:46

Platform

win10v2004-20230831-en

Max time kernel

38s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 3248 N/A N/A C:\Users\Admin\AppData\Local\Temp\38BE.exe
PID 3264 wrote to memory of 3248 N/A N/A C:\Users\Admin\AppData\Local\Temp\38BE.exe
PID 3264 wrote to memory of 3248 N/A N/A C:\Users\Admin\AppData\Local\Temp\38BE.exe
PID 3264 wrote to memory of 3980 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CD6.exe
PID 3264 wrote to memory of 3980 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CD6.exe
PID 3264 wrote to memory of 3980 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CD6.exe
PID 3264 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F39.exe
PID 3264 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F39.exe
PID 3264 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F39.exe
PID 3264 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\Temp\40D0.exe
PID 3264 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\Temp\40D0.exe
PID 3264 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\Temp\40D0.exe
PID 3264 wrote to memory of 420 N/A N/A C:\Users\Admin\AppData\Local\Temp\4313.exe
PID 3264 wrote to memory of 420 N/A N/A C:\Users\Admin\AppData\Local\Temp\4313.exe
PID 3264 wrote to memory of 420 N/A N/A C:\Users\Admin\AppData\Local\Temp\4313.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\38BE.exe

C:\Users\Admin\AppData\Local\Temp\38BE.exe

C:\Users\Admin\AppData\Local\Temp\3CD6.exe

C:\Users\Admin\AppData\Local\Temp\3CD6.exe

C:\Users\Admin\AppData\Local\Temp\3F39.exe

C:\Users\Admin\AppData\Local\Temp\3F39.exe

C:\Users\Admin\AppData\Local\Temp\4313.exe

C:\Users\Admin\AppData\Local\Temp\4313.exe

C:\Users\Admin\AppData\Local\Temp\40D0.exe

C:\Users\Admin\AppData\Local\Temp\40D0.exe

C:\Users\Admin\AppData\Local\Temp\4DF1.exe

C:\Users\Admin\AppData\Local\Temp\4DF1.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\668B.exe

C:\Users\Admin\AppData\Local\Temp\668B.exe

C:\Users\Admin\AppData\Local\Temp\38BE.exe

C:\Users\Admin\AppData\Local\Temp\38BE.exe

C:\Users\Admin\AppData\Local\Temp\694B.exe

C:\Users\Admin\AppData\Local\Temp\694B.exe

C:\Users\Admin\AppData\Local\Temp\6DB1.exe

C:\Users\Admin\AppData\Local\Temp\6DB1.exe

C:\Users\Admin\AppData\Local\Temp\70BF.exe

C:\Users\Admin\AppData\Local\Temp\70BF.exe

C:\Users\Admin\AppData\Local\Temp\7F48.exe

C:\Users\Admin\AppData\Local\Temp\7F48.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8218.dll

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8218.dll

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\5bc04d44-6227-43fd-a371-9024be38ef1c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\668B.exe

C:\Users\Admin\AppData\Local\Temp\668B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7F48.exe

C:\Users\Admin\AppData\Local\Temp\7F48.exe

C:\Users\Admin\AppData\Local\Temp\668B.exe

"C:\Users\Admin\AppData\Local\Temp\668B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7F48.exe

"C:\Users\Admin\AppData\Local\Temp\7F48.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\38BE.exe

"C:\Users\Admin\AppData\Local\Temp\38BE.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Roaming\ifavacf

C:\Users\Admin\AppData\Roaming\ifavacf

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\668B.exe

"C:\Users\Admin\AppData\Local\Temp\668B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7F48.exe

"C:\Users\Admin\AppData\Local\Temp\7F48.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\38BE.exe

"C:\Users\Admin\AppData\Local\Temp\38BE.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4248 -ip 4248

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MX 201.124.224.61:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 61.224.124.201.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
MX 201.124.224.61:80 colisumy.com tcp
MD 176.123.9.142:14845 tcp
NL 194.169.175.232:80 194.169.175.232 tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 login-sofi.4dq.com udp
DE 45.79.249.147:443 login-sofi.4dq.com tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 147.249.79.45.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 95.214.27.254:80 tcp
NL 194.169.175.232:45450 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
GB 51.38.95.107:42494 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 139.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.232:45450 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 95.214.27.254:80 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp

Files

memory/1220-1-0x00000000024A0000-0x00000000025A0000-memory.dmp

memory/1220-2-0x0000000002430000-0x0000000002439000-memory.dmp

memory/1220-3-0x0000000000400000-0x0000000002290000-memory.dmp

memory/3264-4-0x0000000003420000-0x0000000003436000-memory.dmp

memory/1220-5-0x0000000000400000-0x0000000002290000-memory.dmp

memory/1220-8-0x0000000002430000-0x0000000002439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38BE.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\38BE.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\3CD6.exe

MD5 1b67e388efc2b48f047e9eeb16edcef2
SHA1 2c5ddc2006c38caed1adab80df1e5a370821b47f
SHA256 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1
SHA512 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94

C:\Users\Admin\AppData\Local\Temp\3CD6.exe

MD5 1b67e388efc2b48f047e9eeb16edcef2
SHA1 2c5ddc2006c38caed1adab80df1e5a370821b47f
SHA256 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1
SHA512 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94

memory/3264-21-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-24-0x0000000003320000-0x0000000003330000-memory.dmp

memory/3264-30-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F39.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

C:\Users\Admin\AppData\Local\Temp\40D0.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

memory/3264-36-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-34-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3980-31-0x00000000760A0000-0x0000000076190000-memory.dmp

memory/3980-28-0x00000000760A0000-0x0000000076190000-memory.dmp

memory/3264-27-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3980-23-0x00000000002F0000-0x0000000000B92000-memory.dmp

memory/3264-22-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-38-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-42-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3980-44-0x00000000760A0000-0x0000000076190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F39.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/3264-45-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4313.exe

MD5 24f97033c62127b816fe4733b9b8a3f0
SHA1 bd8a47ad195de6fa694a6b8de214a7d06b516824
SHA256 f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612
SHA512 c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a

memory/3980-50-0x00000000760A0000-0x0000000076190000-memory.dmp

memory/3264-49-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-51-0x0000000003340000-0x0000000003341000-memory.dmp

memory/3264-52-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40D0.exe

MD5 52e2f416fb09cf8da94bf1a88a8bc31b
SHA1 b368ea2376b00d1439e292952d281c577d26049b
SHA256 cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345
SHA512 a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732

memory/3264-57-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4313.exe

MD5 24f97033c62127b816fe4733b9b8a3f0
SHA1 bd8a47ad195de6fa694a6b8de214a7d06b516824
SHA256 f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612
SHA512 c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a

memory/3264-61-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3980-63-0x00000000002F0000-0x0000000000B92000-memory.dmp

memory/3264-65-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3980-69-0x00000000760A0000-0x0000000076190000-memory.dmp

memory/3980-72-0x00000000760A0000-0x0000000076190000-memory.dmp

memory/3264-77-0x0000000003300000-0x0000000003310000-memory.dmp

memory/2256-75-0x0000000002090000-0x00000000020C0000-memory.dmp

memory/3264-80-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-82-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-79-0x0000000003300000-0x0000000003310000-memory.dmp

memory/2256-76-0x0000000000400000-0x0000000000445000-memory.dmp

memory/3980-84-0x00000000760A0000-0x0000000076190000-memory.dmp

memory/3980-85-0x00000000002F0000-0x0000000000B92000-memory.dmp

memory/2256-87-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/3264-68-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4DF1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3980-86-0x0000000005560000-0x00000000055FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4DF1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3264-64-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-59-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3980-55-0x00000000771D4000-0x00000000771D6000-memory.dmp

memory/3264-53-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-48-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3980-47-0x00000000760A0000-0x0000000076190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2256-89-0x0000000004BD0000-0x00000000051E8000-memory.dmp

memory/3980-94-0x00000000760A0000-0x0000000076190000-memory.dmp

memory/3980-95-0x00000000760A0000-0x0000000076190000-memory.dmp

memory/3264-96-0x0000000003340000-0x0000000003341000-memory.dmp

memory/2256-101-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2256-97-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/2256-102-0x00000000024D0000-0x000000000250C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2256-93-0x00000000051F0000-0x00000000052FA000-memory.dmp

memory/3248-106-0x0000000002490000-0x000000000252C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\668B.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/4904-114-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\694B.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

memory/3264-124-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-123-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DB1.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\Local\Temp\6DB1.exe

MD5 b7a9dd705bcc0dbfc9cabc69b2953b33
SHA1 bb0c29b2169c908b8d25637651eeaa32135e0b80
SHA256 aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d
SHA512 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf

C:\Users\Admin\AppData\Local\Temp\70BF.exe

MD5 f4d73b7bcfcdc85f236054d09e6ad097
SHA1 2a7159b0a2efd5f912886bc6bc2e0d29cee577b6
SHA256 57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329
SHA512 bdae0fee3ea5439f53459254270e20ec0de3a20f2911bf4bf7301a608fb2eba4ee3eacbf758af3499ec81dc05eedb0f2358e49b1e170b8e00d4e362292235743

C:\Users\Admin\AppData\Local\Temp\694B.exe

MD5 f80d0dc2fe6ef74e286f99444bd6fe83
SHA1 30d3c3da98bc194650f0709b445863b76edb4fd8
SHA256 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa
SHA512 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/1760-151-0x0000029D975F0000-0x0000029D9760A000-memory.dmp

memory/3264-152-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/2256-166-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/2256-171-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/2256-174-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/3980-176-0x00000000032C0000-0x00000000032D5000-memory.dmp

memory/3264-180-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-181-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-188-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8218.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/3264-192-0x0000000003300000-0x0000000003310000-memory.dmp

memory/672-195-0x0000000010000000-0x00000000102FA000-memory.dmp

memory/4212-196-0x00007FF60B880000-0x00007FF60B8B8000-memory.dmp

memory/3264-201-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3980-200-0x00000000032C0000-0x00000000032D5000-memory.dmp

memory/672-203-0x00000000011E0000-0x00000000011E6000-memory.dmp

memory/3980-204-0x00000000032C0000-0x00000000032D5000-memory.dmp

memory/3264-205-0x00000000014A0000-0x00000000014A3000-memory.dmp

memory/3980-209-0x00000000032C0000-0x00000000032D5000-memory.dmp

memory/820-199-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

memory/3980-194-0x00000000032C0000-0x00000000032D5000-memory.dmp

memory/1760-191-0x0000029D98FA0000-0x0000029D98FB0000-memory.dmp

memory/3980-189-0x00000000032C0000-0x00000000032D5000-memory.dmp

memory/3980-185-0x00000000032C0000-0x00000000032D5000-memory.dmp

memory/3264-184-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8218.dll

MD5 29a6feecd31507dcbf3355f6af904f10
SHA1 255c9a34e25e24c426efe0cb2a7000761de4b95d
SHA256 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082
SHA512 e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6

memory/3980-178-0x00000000032C0000-0x00000000032D5000-memory.dmp

memory/3264-177-0x0000000003300000-0x0000000003310000-memory.dmp

memory/1760-173-0x00007FFC26AD0000-0x00007FFC27591000-memory.dmp

memory/3264-172-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F48.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/3264-167-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7F48.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

memory/3264-163-0x0000000003300000-0x0000000003310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/3264-159-0x0000000003300000-0x0000000003310000-memory.dmp

memory/2256-154-0x0000000074630000-0x0000000074DE0000-memory.dmp

C:\Users\Admin\AppData\Local\5bc04d44-6227-43fd-a371-9024be38ef1c\38BE.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/3264-150-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/1760-142-0x0000029D97160000-0x0000029D97220000-memory.dmp

memory/820-141-0x0000000074630000-0x0000000074DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70BF.exe

MD5 f4d73b7bcfcdc85f236054d09e6ad097
SHA1 2a7159b0a2efd5f912886bc6bc2e0d29cee577b6
SHA256 57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329
SHA512 bdae0fee3ea5439f53459254270e20ec0de3a20f2911bf4bf7301a608fb2eba4ee3eacbf758af3499ec81dc05eedb0f2358e49b1e170b8e00d4e362292235743

memory/3264-137-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-139-0x0000000003300000-0x0000000003310000-memory.dmp

memory/820-135-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3264-131-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-128-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-122-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3264-120-0x0000000003300000-0x0000000003310000-memory.dmp

memory/4904-121-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2940-118-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/4904-117-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38BE.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/4904-112-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2940-110-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\668B.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

memory/3248-108-0x0000000004080000-0x000000000419B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\668B.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\7F48.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 0e4ab87b54f0bc751e46de0379a91b4c
SHA1 90358a11b3204eac16b3fe3d2092a86cc3794eee
SHA256 aae12ddb9d17486d91d75793af823bc830356579c671b2ad10a6cc407711bdd4
SHA512 8d1bfb2735cb4897d5f9fb0ea25f2d6bb4fdec6b19f99dd61a9d05c4c44c07ca227c131d7100cf34e31be6bba43dd4e973775682b5d6f035826d5b206e691f72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 1630fd905e75196214bea24dc085f432
SHA1 d2e8f0fbde6fae4ad7b495687488a40ce136c50f
SHA256 f504c88dd1f7444ea1d9832621982d8c35dec8a35ef5a24a74357c727c66c01a
SHA512 47a624065e817e0422807cd1dc8002aeb5632e4fea405ab9914029f10b914a65b0145996d010798fdff18b32b090d6c12eea7b97070ab4e703527ed89f960a8e

C:\Users\Admin\AppData\Local\Temp\668B.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\5bc04d44-6227-43fd-a371-9024be38ef1c\38BE.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\7F48.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\38BE.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 0eab9cbc81b630365ed87e70a3bcf348
SHA1 d6ce2097af6c58fe41f98e1b0f9c264aa552d253
SHA256 e8f1178d92ce896b5f45c707050c3e84527db102bc3687e1e7208dbd34cd7685
SHA512 1417409eee83f2c8d4a15f843374c826cc2250e23dc4d46648643d02bfbf8c463d6aa8b43274bf68be1e780f81d506948bf84903a7a1044b46b12813d67c9498

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Roaming\ifavacf

MD5 f4e8f176190abbbc6c31cfd0371d5478
SHA1 589a5253e70a05c3db7621eb15f91ab8059750cb
SHA256 3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b
SHA512 f13e993b3b1fc00089d0a3e2b7ccf130608afbce7d32e6a15aca23be68d9a90848d7885dfaab77d2b833869cd8313a7e4c6bdd4cd309b0ebd179293ffdfc0e7c

C:\Users\Admin\AppData\Local\Temp\668B.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Local\Temp\7F48.exe

MD5 39ad210451d748bf993549920c723a0f
SHA1 96897d5a8cd21ef0f71c1c40159cff9373855508
SHA256 b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a
SHA512 d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024

C:\Users\Admin\AppData\Local\Temp\38BE.exe

MD5 1631bd067f7a26ffbb67687957320e4a
SHA1 39db651bf4d3d499411c5678c221886b48406622
SHA256 f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120
SHA512 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da

C:\Users\Admin\AppData\Roaming\ifavacf

MD5 f4e8f176190abbbc6c31cfd0371d5478
SHA1 589a5253e70a05c3db7621eb15f91ab8059750cb
SHA256 3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b
SHA512 f13e993b3b1fc00089d0a3e2b7ccf130608afbce7d32e6a15aca23be68d9a90848d7885dfaab77d2b833869cd8313a7e4c6bdd4cd309b0ebd179293ffdfc0e7c