Malware Analysis Report

2025-04-14 07:23

Sample ID 230914-th1a8afg34
Target 00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59
SHA256 00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59

Threat Level: Known bad

The file 00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59 was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan

Amadey

SmokeLoader

Detected Djvu ransomware

Djvu Ransomware

RedLine

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Modifies file permissions

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 16:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 16:04

Reported

2023-09-14 16:06

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4307.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35A4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3CEB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23BF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2518.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2518.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f8270a9d-c170-43e7-a790-a37e588c6093\\23BF.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\23BF.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25F4.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3180 wrote to memory of 892 N/A N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 3180 wrote to memory of 892 N/A N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 3180 wrote to memory of 892 N/A N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 3180 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\Temp\2518.exe
PID 3180 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\Temp\2518.exe
PID 3180 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\Temp\2518.exe
PID 3180 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\Temp\25F4.exe
PID 3180 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\Temp\25F4.exe
PID 3180 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\Temp\25F4.exe
PID 3180 wrote to memory of 708 N/A N/A C:\Users\Admin\AppData\Local\Temp\35A4.exe
PID 3180 wrote to memory of 708 N/A N/A C:\Users\Admin\AppData\Local\Temp\35A4.exe
PID 3180 wrote to memory of 708 N/A N/A C:\Users\Admin\AppData\Local\Temp\35A4.exe
PID 3180 wrote to memory of 4860 N/A N/A C:\Users\Admin\AppData\Local\Temp\37C8.exe
PID 3180 wrote to memory of 4860 N/A N/A C:\Users\Admin\AppData\Local\Temp\37C8.exe
PID 3180 wrote to memory of 2264 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3180 wrote to memory of 2264 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3180 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CEB.exe
PID 3180 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CEB.exe
PID 3180 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CEB.exe
PID 2264 wrote to memory of 1740 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2264 wrote to memory of 1740 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2264 wrote to memory of 1740 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3180 wrote to memory of 4204 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe
PID 3180 wrote to memory of 4204 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe
PID 3180 wrote to memory of 4204 N/A N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe
PID 3180 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\Temp\4307.exe
PID 3180 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\Temp\4307.exe
PID 3180 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\Temp\4307.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 892 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\23BF.exe C:\Users\Admin\AppData\Local\Temp\23BF.exe
PID 464 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\4307.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 464 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\4307.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 464 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\4307.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4548 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4548 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4548 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4548 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4204 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\SysWOW64\cacls.exe
PID 4204 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\SysWOW64\cacls.exe
PID 4204 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\SysWOW64\cacls.exe
PID 4204 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4204 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\3E92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1552 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59.exe

"C:\Users\Admin\AppData\Local\Temp\00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59.exe"

C:\Users\Admin\AppData\Local\Temp\23BF.exe

C:\Users\Admin\AppData\Local\Temp\23BF.exe

C:\Users\Admin\AppData\Local\Temp\2518.exe

C:\Users\Admin\AppData\Local\Temp\2518.exe

C:\Users\Admin\AppData\Local\Temp\25F4.exe

C:\Users\Admin\AppData\Local\Temp\25F4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1668 -ip 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 860

C:\Users\Admin\AppData\Local\Temp\35A4.exe

C:\Users\Admin\AppData\Local\Temp\35A4.exe

C:\Users\Admin\AppData\Local\Temp\37C8.exe

C:\Users\Admin\AppData\Local\Temp\37C8.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3B82.dll

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

C:\Users\Admin\AppData\Local\Temp\3E92.exe

C:\Users\Admin\AppData\Local\Temp\3E92.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3B82.dll

C:\Users\Admin\AppData\Local\Temp\4307.exe

C:\Users\Admin\AppData\Local\Temp\4307.exe

C:\Users\Admin\AppData\Local\Temp\23BF.exe

C:\Users\Admin\AppData\Local\Temp\23BF.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f8270a9d-c170-43e7-a790-a37e588c6093" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\35A4.exe

C:\Users\Admin\AppData\Local\Temp\35A4.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

C:\Users\Admin\AppData\Local\Temp\35A4.exe

"C:\Users\Admin\AppData\Local\Temp\35A4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

"C:\Users\Admin\AppData\Local\Temp\3CEB.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\23BF.exe

"C:\Users\Admin\AppData\Local\Temp\23BF.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\35A4.exe

"C:\Users\Admin\AppData\Local\Temp\35A4.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 568

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

"C:\Users\Admin\AppData\Local\Temp\3CEB.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2840 -ip 2840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 568

C:\Users\Admin\AppData\Local\Temp\23BF.exe

"C:\Users\Admin\AppData\Local\Temp\23BF.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3652 -ip 3652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 572

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

C:\Users\Admin\AppData\Local\f8270a9d-c170-43e7-a790-a37e588c6093\23BF.exe

C:\Users\Admin\AppData\Local\f8270a9d-c170-43e7-a790-a37e588c6093\23BF.exe --Task

C:\Users\Admin\AppData\Roaming\dajrwvj

C:\Users\Admin\AppData\Roaming\dajrwvj

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 172.67.181.144:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 211.40.39.251:80 colisumy.com tcp
US 8.8.8.8:53 144.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 251.39.40.211.in-addr.arpa udp
KR 211.40.39.251:80 colisumy.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 dpecalgerie.com udp
FI 95.217.201.52:443 dpecalgerie.com tcp
US 8.8.8.8:53 52.201.217.95.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.190.160.14:443 tcp

Files

memory/4072-0-0x00000000021D0000-0x00000000021E5000-memory.dmp

memory/4072-1-0x0000000000640000-0x0000000000649000-memory.dmp

memory/4072-2-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4072-4-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3180-3-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

memory/4072-7-0x00000000021D0000-0x00000000021E5000-memory.dmp

memory/4072-8-0x0000000000640000-0x0000000000649000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23BF.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

C:\Users\Admin\AppData\Local\Temp\23BF.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

C:\Users\Admin\AppData\Local\Temp\2518.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\2518.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\25F4.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/1668-23-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1668-24-0x0000000000520000-0x0000000000550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25F4.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

C:\Users\Admin\AppData\Local\Temp\2518.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

memory/1668-33-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2518.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

memory/5096-29-0x00000000007B0000-0x00000000007E0000-memory.dmp

memory/5096-36-0x0000000000400000-0x0000000000445000-memory.dmp

memory/5096-37-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/5096-38-0x0000000004B10000-0x0000000005128000-memory.dmp

memory/5096-39-0x0000000005130000-0x000000000523A000-memory.dmp

memory/5096-40-0x0000000005240000-0x0000000005252000-memory.dmp

memory/5096-41-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/5096-42-0x0000000005260000-0x000000000529C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35A4.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

C:\Users\Admin\AppData\Local\Temp\35A4.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

C:\Users\Admin\AppData\Local\Temp\37C8.exe

MD5 c82816b9cae5ab07c38a317572f3453f
SHA1 ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA256 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA512 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b

memory/4860-51-0x000001AF147D0000-0x000001AF14864000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37C8.exe

MD5 c82816b9cae5ab07c38a317572f3453f
SHA1 ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA256 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA512 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b

memory/4860-53-0x000001AF2EBF0000-0x000001AF2EC0A000-memory.dmp

memory/4860-54-0x000001AF2ECC0000-0x000001AF2ECD0000-memory.dmp

memory/4860-52-0x00007FFBBB2D0000-0x00007FFBBBD91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\Local\Temp\3E92.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

C:\Users\Admin\AppData\Local\Temp\3B82.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

memory/1740-66-0x0000000010000000-0x00000000102D3000-memory.dmp

memory/1668-68-0x0000000004B00000-0x0000000004B45000-memory.dmp

memory/1668-69-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/1740-73-0x00000000008E0000-0x00000000008E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E92.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

C:\Users\Admin\AppData\Local\Temp\4307.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1668-75-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4307.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3B82.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

memory/5096-80-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/892-82-0x0000000000630000-0x00000000006C2000-memory.dmp

memory/892-83-0x00000000022C0000-0x00000000023DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/5096-87-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/5096-86-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/5096-81-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/5096-88-0x0000000005D80000-0x0000000005DE6000-memory.dmp

memory/700-93-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/700-97-0x0000000000400000-0x0000000000537000-memory.dmp

memory/700-98-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/700-91-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23BF.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

memory/5096-99-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/5096-100-0x0000000006350000-0x0000000006512000-memory.dmp

memory/5096-101-0x0000000006520000-0x0000000006A4C000-memory.dmp

memory/4860-103-0x00007FFBBB2D0000-0x00007FFBBBD91000-memory.dmp

memory/1932-104-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1932-105-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/4860-106-0x000001AF2ECC0000-0x000001AF2ECD0000-memory.dmp

C:\Users\Admin\AppData\Local\f8270a9d-c170-43e7-a790-a37e588c6093\23BF.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

C:\Users\Admin\AppData\Local\Temp\35A4.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

memory/4504-118-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4504-117-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4504-119-0x0000000000400000-0x0000000000537000-memory.dmp

memory/700-120-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1724-121-0x0000000002090000-0x0000000002122000-memory.dmp

memory/1724-122-0x0000000002230000-0x000000000234B000-memory.dmp

memory/392-123-0x0000000000400000-0x0000000000537000-memory.dmp

memory/392-125-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/392-126-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1932-127-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/392-128-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 b511c398d86bf452df61263d0f4f7461
SHA1 bf30fff195399edadee4fd66a2694ba443faac86
SHA256 2522b2fea6b1c8066503ca68c8fc26e94c94787db918ce49ff5628a9caeb77c5
SHA512 9dc39f432caeb3348731aab93f329fb55c358ba989dbc6c5c19bd75a9afdd897a1d9ec2f8d1b686700730bc0e869d89b41b12b13b18f9d8fef4da155fbec65e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fa4ae5fcb44bfaf845b845961180d250
SHA1 8257ee68bdd2bc3ea2723eda7aeba404195d46bf
SHA256 574c66c19561773196a88f115168cf5d73b71fd26f9034606fe38a5535d4df96
SHA512 ad1de0c1d0f5a4a7e3615b48537f75250779368b388520b001d96367d5aa19fa88a9f471d1212e679ab9eaae854374445807877891bf1b803fa6c7886877d253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 3f810b301923c5d5ed44628b16c423c1
SHA1 7f7f58fef6eac15f126cca01711ae66e2ca2c8f7
SHA256 bfcaa3d5fddacdf835f8e8a12078885582099b6ba0f958773a17f94b0f97fda8
SHA512 cfffcb02945709627e17989bfe1170014d82026dfe09d1025d81d67e3b5a42401f21e2caf216c1fd4db43cf803198e3170434aa04eb2b3f74ff6f92847965690

memory/5096-133-0x0000000006BB0000-0x0000000006C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35A4.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

memory/4504-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/392-141-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1932-140-0x0000000005180000-0x0000000005190000-memory.dmp

memory/5096-144-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/1740-145-0x0000000002740000-0x0000000002842000-memory.dmp

memory/1740-146-0x0000000002850000-0x0000000002938000-memory.dmp

memory/1740-147-0x0000000002850000-0x0000000002938000-memory.dmp

memory/1740-149-0x0000000002850000-0x0000000002938000-memory.dmp

memory/1740-150-0x0000000002850000-0x0000000002938000-memory.dmp

C:\Users\Admin\AppData\Local\f8270a9d-c170-43e7-a790-a37e588c6093\23BF.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

memory/700-152-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23BF.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

memory/4792-155-0x00000000020D0000-0x0000000002162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35A4.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

memory/4484-158-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4484-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1932-162-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 9b756bc85e5324eb8f87a69e3f9959ab
SHA1 1778b2e2d6a00c421578a284db1e743931611d66
SHA256 e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e
SHA512 c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

C:\Users\Admin\AppData\Local\Temp\3CEB.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/2840-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2840-167-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2840-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3652-174-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3652-175-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23BF.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6

memory/3652-177-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\dajrwvj

MD5 cb5e769ecd8d86f9c3616702ba61fbb7
SHA1 9631257b1c173d275e8ef3f6a731f49ba14c9218
SHA256 00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59
SHA512 bb9e6d31e0298b2d1417ce4a5f4353b4b057da72333c8b09d92527536191fbcfe7eb24ab176d40898bcbd5e4e6034d6386d4ea505f18d813762c4d53ecd8f9ae

C:\Users\Admin\AppData\Roaming\dajrwvj

MD5 cb5e769ecd8d86f9c3616702ba61fbb7
SHA1 9631257b1c173d275e8ef3f6a731f49ba14c9218
SHA256 00bdef95132662b30121acd74424e62335ad06691c3c4fbf7f8b7b45d9dcab59
SHA512 bb9e6d31e0298b2d1417ce4a5f4353b4b057da72333c8b09d92527536191fbcfe7eb24ab176d40898bcbd5e4e6034d6386d4ea505f18d813762c4d53ecd8f9ae

C:\Users\Admin\AppData\Local\f8270a9d-c170-43e7-a790-a37e588c6093\23BF.exe

MD5 7b5d0640a2040b88850b64b7f255df81
SHA1 305cf5b168d56db8d7ce90478e947b4905f00c32
SHA256 6b9c75e248afe6fc5853fca6a17021712dd91d8c72599efd4245d08f5c96c8e1
SHA512 6b640ba2af03f19dc34c16c292012a8717df0b5ae4e97fe900531875bb6925105eebf491642289568e5db54965047471b7bc8d2d6e562cf0333579d241ae59d6