Malware Analysis Report

2025-04-14 07:23

Sample ID 230914-t68bqsga27
Target fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7
SHA256 fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7

Threat Level: Known bad

The file fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7 was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan

Djvu Ransomware

Detected Djvu ransomware

SmokeLoader

RedLine

Amadey

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Checks installed software on the system

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 16:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 16:41

Reported

2023-09-14 16:43

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\38D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E60A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F34C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBFA.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\017d9ae4-3dc5-4aaf-8aa2-549f0aadff11\\E60A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E60A.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E90A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E7D1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 708 wrote to memory of 4832 N/A N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 708 wrote to memory of 4832 N/A N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 708 wrote to memory of 4832 N/A N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 708 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7D1.exe
PID 708 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7D1.exe
PID 708 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7D1.exe
PID 708 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90A.exe
PID 708 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90A.exe
PID 708 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90A.exe
PID 708 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 708 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 708 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 708 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5FD.exe
PID 708 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5FD.exe
PID 708 wrote to memory of 4268 N/A N/A C:\Windows\system32\regsvr32.exe
PID 708 wrote to memory of 4268 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4268 wrote to memory of 4664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4268 wrote to memory of 4664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4268 wrote to memory of 4664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 708 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBFA.exe
PID 708 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBFA.exe
PID 708 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBFA.exe
PID 708 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe
PID 708 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe
PID 708 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe
PID 708 wrote to memory of 3860 N/A N/A C:\Users\Admin\AppData\Local\Temp\38D.exe
PID 708 wrote to memory of 3860 N/A N/A C:\Users\Admin\AppData\Local\Temp\38D.exe
PID 708 wrote to memory of 3860 N/A N/A C:\Users\Admin\AppData\Local\Temp\38D.exe
PID 3860 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\38D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3860 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\38D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3860 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\38D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 4832 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\E60A.exe C:\Users\Admin\AppData\Local\Temp\E60A.exe
PID 1700 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\FE5C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2064 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 2064 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 2064 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 2064 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 2064 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 2064 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 2064 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 2064 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe C:\Users\Admin\AppData\Local\Temp\F34C.exe
PID 2064 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\F34C.exe C:\Users\Admin\AppData\Local\Temp\F34C.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7.exe

"C:\Users\Admin\AppData\Local\Temp\fe97756583a851050644fb23a5a247ea2f8bf090f348b2f99c39b4529ada28a7.exe"

C:\Users\Admin\AppData\Local\Temp\E60A.exe

C:\Users\Admin\AppData\Local\Temp\E60A.exe

C:\Users\Admin\AppData\Local\Temp\E7D1.exe

C:\Users\Admin\AppData\Local\Temp\E7D1.exe

C:\Users\Admin\AppData\Local\Temp\E90A.exe

C:\Users\Admin\AppData\Local\Temp\E90A.exe

C:\Users\Admin\AppData\Local\Temp\F34C.exe

C:\Users\Admin\AppData\Local\Temp\F34C.exe

C:\Users\Admin\AppData\Local\Temp\F5FD.exe

C:\Users\Admin\AppData\Local\Temp\F5FD.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FA34.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FA34.dll

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

C:\Users\Admin\AppData\Local\Temp\FE5C.exe

C:\Users\Admin\AppData\Local\Temp\FE5C.exe

C:\Users\Admin\AppData\Local\Temp\38D.exe

C:\Users\Admin\AppData\Local\Temp\38D.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\E60A.exe

C:\Users\Admin\AppData\Local\Temp\E60A.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\F34C.exe

C:\Users\Admin\AppData\Local\Temp\F34C.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\017d9ae4-3dc5-4aaf-8aa2-549f0aadff11" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\E60A.exe

"C:\Users\Admin\AppData\Local\Temp\E60A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F34C.exe

"C:\Users\Admin\AppData\Local\Temp\F34C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

"C:\Users\Admin\AppData\Local\Temp\FBFA.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E60A.exe

"C:\Users\Admin\AppData\Local\Temp\E60A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

"C:\Users\Admin\AppData\Local\Temp\FBFA.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3988 -ip 3988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 568

C:\Users\Admin\AppData\Local\Temp\F34C.exe

"C:\Users\Admin\AppData\Local\Temp\F34C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 856 -ip 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 568

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 128.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
MX 187.204.68.129:80 colisumy.com tcp
US 8.8.8.8:53 129.68.204.187.in-addr.arpa udp
MX 187.204.68.129:80 colisumy.com tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 38.181.25.43:3325 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 dpecalgerie.com udp
FI 95.217.201.52:443 dpecalgerie.com tcp
US 8.8.8.8:53 52.201.217.95.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.141.27.67.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/3488-0-0x0000000000720000-0x0000000000735000-memory.dmp

memory/3488-1-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3488-2-0x00000000021E0000-0x00000000021E9000-memory.dmp

memory/708-3-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/3488-4-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3488-7-0x0000000000720000-0x0000000000735000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E60A.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

C:\Users\Admin\AppData\Local\Temp\E60A.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

C:\Users\Admin\AppData\Local\Temp\E7D1.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\E7D1.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\E90A.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/1304-22-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1304-23-0x00000000004F0000-0x0000000000520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E90A.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/1304-28-0x0000000075060000-0x0000000075810000-memory.dmp

memory/2692-29-0x00000000005F0000-0x0000000000620000-memory.dmp

memory/2692-30-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2692-34-0x0000000075060000-0x0000000075810000-memory.dmp

memory/1304-35-0x0000000004BC0000-0x00000000051D8000-memory.dmp

memory/1304-36-0x00000000051E0000-0x00000000052EA000-memory.dmp

memory/2692-38-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/2692-37-0x0000000004B00000-0x0000000004B12000-memory.dmp

memory/1304-39-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/2692-40-0x0000000004B20000-0x0000000004B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F34C.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

C:\Users\Admin\AppData\Local\Temp\F34C.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

C:\Users\Admin\AppData\Local\Temp\F5FD.exe

MD5 c82816b9cae5ab07c38a317572f3453f
SHA1 ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA256 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA512 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b

C:\Users\Admin\AppData\Local\Temp\F5FD.exe

MD5 c82816b9cae5ab07c38a317572f3453f
SHA1 ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA256 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA512 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b

memory/4756-51-0x00007FFDE97E0000-0x00007FFDEA2A1000-memory.dmp

memory/4756-50-0x000002893AB70000-0x000002893AB8A000-memory.dmp

memory/4756-49-0x000002893A6A0000-0x000002893A734000-memory.dmp

memory/4756-53-0x0000028954DB0000-0x0000028954DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA34.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\Local\Temp\FA34.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

C:\Users\Admin\AppData\Local\Temp\FE5C.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

memory/4664-63-0x00000000005F0000-0x00000000005F6000-memory.dmp

memory/4664-62-0x0000000010000000-0x00000000102D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FE5C.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

C:\Users\Admin\AppData\Local\Temp\38D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\38D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1304-73-0x0000000075060000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2692-82-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/4832-83-0x00000000021E0000-0x00000000022FB000-memory.dmp

memory/1160-85-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2692-84-0x00000000054C0000-0x0000000005552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4832-79-0x0000000002000000-0x0000000002091000-memory.dmp

memory/1160-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2692-90-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/1304-91-0x00000000056A0000-0x0000000005706000-memory.dmp

memory/1304-93-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/2692-92-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/1160-94-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1160-89-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E60A.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

memory/2692-86-0x0000000075060000-0x0000000075810000-memory.dmp

memory/2076-96-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4756-97-0x00007FFDE97E0000-0x00007FFDEA2A1000-memory.dmp

memory/2076-98-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4756-99-0x0000028954DB0000-0x0000028954DC0000-memory.dmp

memory/2692-103-0x00000000063C0000-0x0000000006582000-memory.dmp

memory/2692-105-0x0000000006590000-0x0000000006ABC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F34C.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

memory/4608-111-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4608-110-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2692-114-0x0000000006BC0000-0x0000000006C10000-memory.dmp

memory/4608-112-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\017d9ae4-3dc5-4aaf-8aa2-549f0aadff11\E60A.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

memory/2492-116-0x0000000002070000-0x0000000002102000-memory.dmp

memory/2492-117-0x0000000002210000-0x000000000232B000-memory.dmp

memory/1160-118-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1324-119-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/1324-121-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1324-122-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1324-123-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4664-124-0x00000000025F0000-0x00000000026F2000-memory.dmp

memory/4664-126-0x0000000002700000-0x00000000027E8000-memory.dmp

memory/4664-127-0x0000000002700000-0x00000000027E8000-memory.dmp

memory/4664-129-0x0000000002700000-0x00000000027E8000-memory.dmp

memory/4664-130-0x0000000002700000-0x00000000027E8000-memory.dmp

memory/2076-131-0x0000000075060000-0x0000000075810000-memory.dmp

memory/2692-134-0x0000000075060000-0x0000000075810000-memory.dmp

memory/2076-135-0x0000000005010000-0x0000000005020000-memory.dmp

C:\Users\Admin\AppData\Local\017d9ae4-3dc5-4aaf-8aa2-549f0aadff11\E60A.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fa4ae5fcb44bfaf845b845961180d250
SHA1 8257ee68bdd2bc3ea2723eda7aeba404195d46bf
SHA256 574c66c19561773196a88f115168cf5d73b71fd26f9034606fe38a5535d4df96
SHA512 ad1de0c1d0f5a4a7e3615b48537f75250779368b388520b001d96367d5aa19fa88a9f471d1212e679ab9eaae854374445807877891bf1b803fa6c7886877d253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 dc4f16ffd8d8b1c0d2c93b213ff5c22d
SHA1 f69d29121052e38be8babe77bb06761bfdad01d7
SHA256 0b5dc1250ab95cdd7ef716360411396efbc0f3499de01c68d497841796b770fe
SHA512 485a45c8323d0708b4fa34c34575ea4abfcfbabd90265ffc8000b64cca55ba7144a8ab1d75bc906456b8eab0a50e0c1ff87fc53fdc6cab4dcb8b90900426bb82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 bd24456a9db6778f80c0d8dd1d2b09bf
SHA1 39fac09087d73aa7438c8e8d0876da771fb018eb
SHA256 d484b58f2d445f92b8c0204f21f7da7bcf9e93b5fc387901fccd5ebebb19d1e2
SHA512 f2ad0363768abe1c2a46d809bc6389384f6ed6f8f9f1ad5e1216c99df0ae856fc9043a72966ef84599fe691ac31d5c9e04c321651892271e77594cc5e452bd8e

memory/1160-141-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E60A.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

memory/4608-144-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F34C.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/1324-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1304-152-0x0000000075060000-0x0000000075810000-memory.dmp

memory/2076-154-0x0000000075060000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 9b756bc85e5324eb8f87a69e3f9959ab
SHA1 1778b2e2d6a00c421578a284db1e743931611d66
SHA256 e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e
SHA512 c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

memory/3988-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3988-158-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E60A.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

memory/3988-160-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2324-163-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBFA.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/2324-164-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2324-166-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F34C.exe

MD5 b5a67916054e01de81ec66ef37585346
SHA1 1ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256 e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA512 5bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d

memory/856-170-0x0000000000400000-0x0000000000537000-memory.dmp

memory/856-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/856-172-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4