Malware Analysis Report

2025-04-14 07:23

Sample ID 230914-y9cfpaeh5y
Target 0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a
SHA256 0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a

Threat Level: Known bad

The file 0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 backdoor discovery infostealer persistence ransomware spyware stealer trojan

SmokeLoader

Detected Djvu ransomware

Djvu Ransomware

Amadey

RedLine

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Uses Task Scheduler COM API

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 20:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 20:28

Reported

2023-09-14 20:31

Platform

win10v2004-20230831-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F1A8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F5D1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D4D4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E012.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D69A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D69A.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\15435f45-3a60-4cc0-840b-b7f2f2149b19\\D4D4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D4D4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servicesvcxx = "C:\\users\\public\\servicesvcxx.exe" C:\Windows\system32\reg.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FD25.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FD25.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FD25.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D786.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DCBA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3140 wrote to memory of 1992 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 3140 wrote to memory of 1992 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 3140 wrote to memory of 1992 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 3140 wrote to memory of 884 N/A N/A C:\Users\Admin\AppData\Local\Temp\D69A.exe
PID 3140 wrote to memory of 884 N/A N/A C:\Users\Admin\AppData\Local\Temp\D69A.exe
PID 3140 wrote to memory of 884 N/A N/A C:\Users\Admin\AppData\Local\Temp\D69A.exe
PID 3140 wrote to memory of 4800 N/A N/A C:\Users\Admin\AppData\Local\Temp\D786.exe
PID 3140 wrote to memory of 4800 N/A N/A C:\Users\Admin\AppData\Local\Temp\D786.exe
PID 3140 wrote to memory of 4800 N/A N/A C:\Users\Admin\AppData\Local\Temp\D786.exe
PID 3140 wrote to memory of 4996 N/A N/A C:\Users\Admin\AppData\Local\Temp\E012.exe
PID 3140 wrote to memory of 4996 N/A N/A C:\Users\Admin\AppData\Local\Temp\E012.exe
PID 3140 wrote to memory of 4996 N/A N/A C:\Users\Admin\AppData\Local\Temp\E012.exe
PID 3140 wrote to memory of 4464 N/A N/A C:\Users\Admin\AppData\Local\Temp\E226.exe
PID 3140 wrote to memory of 4464 N/A N/A C:\Users\Admin\AppData\Local\Temp\E226.exe
PID 4996 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\E012.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4996 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\E012.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4996 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\E012.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3716 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3716 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3716 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3716 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 3140 wrote to memory of 3276 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 3140 wrote to memory of 3276 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 3140 wrote to memory of 3276 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Users\Admin\AppData\Local\Temp\D4D4.exe
PID 2060 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2060 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2060 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 4652 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3140 wrote to memory of 4652 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3140 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5D1.exe
PID 3140 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5D1.exe
PID 3140 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5D1.exe
PID 4652 wrote to memory of 4668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4652 wrote to memory of 4668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4652 wrote to memory of 4668 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3140 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD25.exe
PID 3140 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD25.exe
PID 3140 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD25.exe
PID 3140 wrote to memory of 5116 N/A N/A C:\Users\Admin\AppData\Local\Temp\4.exe
PID 3140 wrote to memory of 5116 N/A N/A C:\Users\Admin\AppData\Local\Temp\4.exe
PID 3140 wrote to memory of 5116 N/A N/A C:\Users\Admin\AppData\Local\Temp\4.exe
PID 3140 wrote to memory of 1008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1AB.exe
PID 3140 wrote to memory of 1008 N/A N/A C:\Users\Admin\AppData\Local\Temp\1AB.exe
PID 1008 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1AB.exe C:\Windows\SYSTEM32\cmd.exe
PID 1008 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1AB.exe C:\Windows\SYSTEM32\cmd.exe
PID 4416 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Windows\SysWOW64\icacls.exe
PID 4416 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Windows\SysWOW64\icacls.exe
PID 4416 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\D4D4.exe C:\Windows\SysWOW64\icacls.exe
PID 5116 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a.exe

"C:\Users\Admin\AppData\Local\Temp\0a8106ced4e6b4be7fc28d0c6d90dd86194bef7470791a72ee835b85c9e2365a.exe"

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

C:\Users\Admin\AppData\Local\Temp\D69A.exe

C:\Users\Admin\AppData\Local\Temp\D69A.exe

C:\Users\Admin\AppData\Local\Temp\D786.exe

C:\Users\Admin\AppData\Local\Temp\D786.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 884 -ip 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 852

C:\Users\Admin\AppData\Local\Temp\E012.exe

C:\Users\Admin\AppData\Local\Temp\E012.exe

C:\Users\Admin\AppData\Local\Temp\E226.exe

C:\Users\Admin\AppData\Local\Temp\E226.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F4E5.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F4E5.dll

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

C:\Users\Admin\AppData\Local\Temp\FD25.exe

C:\Users\Admin\AppData\Local\Temp\FD25.exe

C:\Users\Admin\AppData\Local\Temp\4.exe

C:\Users\Admin\AppData\Local\Temp\4.exe

C:\Users\Admin\AppData\Local\Temp\1AB.exe

C:\Users\Admin\AppData\Local\Temp\1AB.exe

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cd C:\users\public\ & tar vxf servicesvcxx.zip

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\15435f45-3a60-4cc0-840b-b7f2f2149b19" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\tar.exe

tar vxf servicesvcxx.zip

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

"C:\Users\Admin\AppData\Local\Temp\F1A8.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1AB.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v servicesvcxx /t REG_SZ /d "C:\users\public\servicesvcxx.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C C:\users\public\servicesvcxx.exe

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

"C:\Users\Admin\AppData\Local\Temp\F5D1.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\users\public\servicesvcxx.exe

C:\users\public\servicesvcxx.exe

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v servicesvcxx /t REG_SZ /d "C:\users\public\servicesvcxx.exe"

C:\Windows\system32\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

"C:\Users\Admin\AppData\Local\Temp\D4D4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

"C:\Users\Admin\AppData\Local\Temp\F1A8.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4572 -ip 4572

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 576

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

"C:\Users\Admin\AppData\Local\Temp\F5D1.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4724 -ip 4724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 572

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

"C:\Users\Admin\AppData\Local\Temp\D4D4.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 584

C:\Users\Admin\AppData\Local\Temp\DCBA.exe

C:\Users\Admin\AppData\Local\Temp\DCBA.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 115.88.24.200:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 200.24.88.115.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
KR 115.88.24.200:80 colisumy.com tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 advocaciasch.com.br udp
US 142.4.24.122:443 advocaciasch.com.br tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 122.24.4.142.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
DE 212.113.116.46:80 212.113.116.46 tcp
US 8.8.8.8:53 46.116.113.212.in-addr.arpa udp
GB 51.38.95.107:42494 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
DE 212.113.116.46:80 212.113.116.46 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
N/A 127.0.0.1:65283 tcp
US 8.8.8.8:53 gudintas.at udp
N/A 127.0.0.1:65343 tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
US 8.8.8.8:53 61.224.124.201.in-addr.arpa udp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
MX 201.124.224.61:80 gudintas.at tcp
US 8.8.8.8:53 h170690.srv22.test-hf.su udp
RU 91.227.16.22:80 h170690.srv22.test-hf.su tcp
MX 201.124.224.61:80 gudintas.at tcp
US 8.8.8.8:53 22.16.227.91.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/3940-0-0x00000000021C0000-0x00000000021D5000-memory.dmp

memory/3940-1-0x00000000021E0000-0x00000000021E9000-memory.dmp

memory/3940-2-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3140-3-0x0000000002950000-0x0000000002966000-memory.dmp

memory/3940-4-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3940-8-0x00000000021E0000-0x00000000021E9000-memory.dmp

memory/3940-7-0x00000000021C0000-0x00000000021D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

C:\Users\Admin\AppData\Local\Temp\D69A.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\D69A.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\D786.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/884-23-0x0000000000400000-0x0000000000445000-memory.dmp

memory/884-24-0x0000000000A20000-0x0000000000A50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D786.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

C:\Users\Admin\AppData\Local\Temp\D69A.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\D69A.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

memory/884-31-0x0000000075070000-0x0000000075820000-memory.dmp

memory/4800-32-0x0000000000560000-0x0000000000590000-memory.dmp

memory/4800-33-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4800-37-0x0000000075070000-0x0000000075820000-memory.dmp

memory/4800-38-0x0000000004AB0000-0x00000000050C8000-memory.dmp

memory/4800-39-0x0000000005100000-0x000000000520A000-memory.dmp

memory/4800-40-0x0000000005240000-0x0000000005252000-memory.dmp

memory/4800-41-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/4800-44-0x0000000005260000-0x000000000529C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E012.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E012.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E226.exe

MD5 c82816b9cae5ab07c38a317572f3453f
SHA1 ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA256 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA512 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b

C:\Users\Admin\AppData\Local\Temp\E226.exe

MD5 c82816b9cae5ab07c38a317572f3453f
SHA1 ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA256 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA512 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b

memory/4464-54-0x00007FF8E8F40000-0x00007FF8E9A01000-memory.dmp

memory/4464-53-0x000001FE37990000-0x000001FE37A24000-memory.dmp

memory/4464-56-0x000001FE51FB0000-0x000001FE51FC0000-memory.dmp

memory/4464-55-0x000001FE37E00000-0x000001FE37E1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1992-69-0x00000000021C0000-0x00000000022DB000-memory.dmp

memory/884-70-0x0000000002760000-0x00000000027A5000-memory.dmp

memory/1992-66-0x0000000002020000-0x00000000020B1000-memory.dmp

memory/4416-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4416-78-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

memory/4416-79-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

memory/884-77-0x0000000075070000-0x0000000075820000-memory.dmp

memory/4416-72-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F4E5.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\Local\Temp\F4E5.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

memory/4800-88-0x0000000075070000-0x0000000075820000-memory.dmp

memory/4668-87-0x0000000010000000-0x00000000102D3000-memory.dmp

memory/4668-90-0x0000000000B80000-0x0000000000B86000-memory.dmp

memory/4800-91-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/4800-92-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/4800-93-0x0000000005BE0000-0x0000000006184000-memory.dmp

memory/4800-96-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/4800-101-0x00000000049A0000-0x00000000049B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD25.exe

MD5 3cd292481447a921fcce2fcd2f3018b3
SHA1 ea0ab113fcf3c916262b27dcc748e4f342b9a233
SHA256 24dd52285cf5f7c4a1fe0fa86e7d6021d8f0d9cac6cefa5b02318b69acf49149
SHA512 26851f5ba943424ca0146e9fcdd85f2fa7f573227e874c1e3f12407f3ab53be6cf8a564fe4a2b0e481c18548a77890d02ac8b46ac6cd4ef54c4db0b015cfd9db

C:\Users\Admin\AppData\Local\Temp\FD25.exe

MD5 3cd292481447a921fcce2fcd2f3018b3
SHA1 ea0ab113fcf3c916262b27dcc748e4f342b9a233
SHA256 24dd52285cf5f7c4a1fe0fa86e7d6021d8f0d9cac6cefa5b02318b69acf49149
SHA512 26851f5ba943424ca0146e9fcdd85f2fa7f573227e874c1e3f12407f3ab53be6cf8a564fe4a2b0e481c18548a77890d02ac8b46ac6cd4ef54c4db0b015cfd9db

C:\Users\Admin\AppData\Local\Temp\4.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

C:\Users\Admin\AppData\Local\Temp\1AB.exe

MD5 4ed28613572ea507b5efa991a8c46909
SHA1 22444959907b3d679475c837cf8086cae9706771
SHA256 edbb97cab97331430fb7e9ab97df6541d14435e548bef472f31e4ac48c60eb11
SHA512 3453a4f8b00a91a42e0c2f297e8cb6451340c053be5a54bf50a4c9bc8165a088de2290533cd94b024dd6d9a6507e88bcb509a45c2c3787526a6669a59e063fc6

memory/4464-111-0x00007FF8E8F40000-0x00007FF8E9A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1AB.exe

MD5 4ed28613572ea507b5efa991a8c46909
SHA1 22444959907b3d679475c837cf8086cae9706771
SHA256 edbb97cab97331430fb7e9ab97df6541d14435e548bef472f31e4ac48c60eb11
SHA512 3453a4f8b00a91a42e0c2f297e8cb6451340c053be5a54bf50a4c9bc8165a088de2290533cd94b024dd6d9a6507e88bcb509a45c2c3787526a6669a59e063fc6

memory/4800-112-0x0000000006290000-0x0000000006452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

memory/4800-116-0x0000000006460000-0x000000000698C000-memory.dmp

C:\Users\Admin\AppData\Local\15435f45-3a60-4cc0-840b-b7f2f2149b19\D4D4.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

memory/4464-119-0x000001FE51FB0000-0x000001FE51FC0000-memory.dmp

memory/2188-120-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2188-122-0x0000000075070000-0x0000000075820000-memory.dmp

memory/4416-121-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2188-125-0x0000000004E00000-0x0000000004E10000-memory.dmp

C:\Users\Public\servicesvcxx.zip

MD5 20b1a155cdd9abb35f626fcfee8ac1f3
SHA1 55bfe667b848869b600b7890e2563f9ba6d7669b
SHA256 4bab9cb31d316979afcd85268c60100b3a31af21e5972d553d1eb49ff01672b5
SHA512 0cbc1320cb18b8cae74354b03905b5ea6a3a3f27aeb342faff8c60e908f6ed1fe25e6c4f22720c4d869350085e5794410ddf83c0021211e7a8490921496a3a9c

memory/4920-128-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

memory/4920-129-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4920-130-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5032-131-0x0000000002080000-0x0000000002112000-memory.dmp

memory/5032-132-0x0000000002220000-0x000000000233B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

memory/1324-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1324-140-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 0cdbaf351d24fbb736cc8537638d2965
SHA1 a441c63e0cdc698f59aa9795f15d358fe747dde3
SHA256 07228371baef1533a70c3b5b1d41bfdfda4e440200f35cddb0a0d9e230ab742b
SHA512 e07d2d333821424c23cf3a47c780fe7407ed67e345f8f39cf389375e521580b5bb43d793ae3adfdfafd39312ec205cd78b39166f3c27e47350dcc42ffb7e1f52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fa4ae5fcb44bfaf845b845961180d250
SHA1 8257ee68bdd2bc3ea2723eda7aeba404195d46bf
SHA256 574c66c19561773196a88f115168cf5d73b71fd26f9034606fe38a5535d4df96
SHA512 ad1de0c1d0f5a4a7e3615b48537f75250779368b388520b001d96367d5aa19fa88a9f471d1212e679ab9eaae854374445807877891bf1b803fa6c7886877d253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fe6b38709782f78974b8cc2cc06a8bc8
SHA1 c62e30214c01efc76659b398a69833ecdcb6f2ed
SHA256 8a745b1ca25402dd4184f57baf5fd53ea39285b3fc82fd5ba7d51c1511a9c470
SHA512 07df632e74e5abfc0d23ad8fc38c26beeb19d9589267ab47f5a4da4e8e9748f8cf68963d6b4aa0baba34cdee239ba70556ba28243e33b2094a96974eed7026ce

memory/1324-133-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1324-141-0x0000000000400000-0x0000000000537000-memory.dmp

C:\users\public\servicesvcxx.exe

MD5 fa289d86c4204aea85aca3a4efe19fc3
SHA1 f794bcb6830dbe6d34fb61f8caaa15c151ddd0e0
SHA256 6da00a4765c73d6115f4ac5dc190091f0aed60f47eedfea0c145f1722fcc9b96
SHA512 df1e8abe8df58e52fa95ef01aa1095ce4f9c03461f60c6c8c8092df84d5e74b9eb4e10a4a40a91c28923211c9dab71dc09764a3f2d719d03754ae072b94b32e0

memory/4920-144-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4568-147-0x0000000000590000-0x00000000005A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

memory/4568-148-0x00000000005B0000-0x00000000005B9000-memory.dmp

memory/4568-149-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2188-150-0x0000000075070000-0x0000000075820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/1324-151-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\15435f45-3a60-4cc0-840b-b7f2f2149b19\D4D4.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

memory/4800-155-0x0000000007E30000-0x0000000007E80000-memory.dmp

memory/2188-156-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/4800-159-0x0000000075070000-0x0000000075820000-memory.dmp

C:\Users\Public\servicesvcxx.exe

MD5 fa289d86c4204aea85aca3a4efe19fc3
SHA1 f794bcb6830dbe6d34fb61f8caaa15c151ddd0e0
SHA256 6da00a4765c73d6115f4ac5dc190091f0aed60f47eedfea0c145f1722fcc9b96
SHA512 df1e8abe8df58e52fa95ef01aa1095ce4f9c03461f60c6c8c8092df84d5e74b9eb4e10a4a40a91c28923211c9dab71dc09764a3f2d719d03754ae072b94b32e0

memory/3140-162-0x0000000003110000-0x0000000003126000-memory.dmp

memory/4568-164-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4668-167-0x0000000002840000-0x0000000002942000-memory.dmp

memory/4668-169-0x0000000000CA0000-0x0000000000D88000-memory.dmp

memory/4416-168-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

memory/4668-172-0x0000000000CA0000-0x0000000000D88000-memory.dmp

memory/4668-174-0x0000000000CA0000-0x0000000000D88000-memory.dmp

memory/4668-175-0x0000000000CA0000-0x0000000000D88000-memory.dmp

memory/1036-176-0x0000000000610000-0x00000000006A1000-memory.dmp

memory/4572-179-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4572-180-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1A8.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

memory/4572-182-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4724-186-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5D1.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/4724-187-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4724-189-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 9b756bc85e5324eb8f87a69e3f9959ab
SHA1 1778b2e2d6a00c421578a284db1e743931611d66
SHA256 e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e
SHA512 c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

memory/2188-192-0x0000000075070000-0x0000000075820000-memory.dmp

memory/3276-198-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4D4.exe

MD5 cb207cb2ec76c3a9a7ed541a856eb106
SHA1 3ca59dae06d5cdbb7b2dd46df8fd96b425649642
SHA256 e56f89b8b27ac502324aa6435ae11936cd5585b139cad0260c5c675cf9332063
SHA512 b22932211fde280c5ae95829fb46e5f9812f42b58911c00d36dd812e0659ab9a8716b02b9bcf7e0ccc4263f7e9ddd3e9cff5190c4641b95802a963a9aed13bbc

memory/3276-199-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\eduuvcc

MD5 3cd292481447a921fcce2fcd2f3018b3
SHA1 ea0ab113fcf3c916262b27dcc748e4f342b9a233
SHA256 24dd52285cf5f7c4a1fe0fa86e7d6021d8f0d9cac6cefa5b02318b69acf49149
SHA512 26851f5ba943424ca0146e9fcdd85f2fa7f573227e874c1e3f12407f3ab53be6cf8a564fe4a2b0e481c18548a77890d02ac8b46ac6cd4ef54c4db0b015cfd9db

C:\Users\Admin\AppData\Local\Temp\DCBA.exe

MD5 b9d54281382702952367d21a226c47a3
SHA1 8e0eb2d3829523887fe659fb5ab20c0058c9cbda
SHA256 e54f49d1acb2f52c5a889249ec33b5d56135140013b749c920cc53dc461682a6
SHA512 57bca6ca960105604fd75660e89762bc288f69f52c598044867745449518d5f99c4ed1e0801841adb52f82d712410aa6a6bd4119bec44932c05df57aafc7ecdc

C:\Users\Admin\AppData\Local\Temp\DCBA.exe

MD5 b9d54281382702952367d21a226c47a3
SHA1 8e0eb2d3829523887fe659fb5ab20c0058c9cbda
SHA256 e54f49d1acb2f52c5a889249ec33b5d56135140013b749c920cc53dc461682a6
SHA512 57bca6ca960105604fd75660e89762bc288f69f52c598044867745449518d5f99c4ed1e0801841adb52f82d712410aa6a6bd4119bec44932c05df57aafc7ecdc

memory/680-211-0x0000000075080000-0x0000000075830000-memory.dmp

memory/680-212-0x0000000000430000-0x000000000061C000-memory.dmp

memory/680-213-0x0000000005400000-0x0000000005410000-memory.dmp

memory/680-214-0x00000000053F0000-0x00000000053FA000-memory.dmp

memory/680-215-0x0000000007D60000-0x0000000007DFC000-memory.dmp

memory/680-216-0x0000000075080000-0x0000000075830000-memory.dmp

memory/680-217-0x0000000005400000-0x0000000005410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/680-221-0x0000000005400000-0x0000000005410000-memory.dmp

memory/4856-222-0x0000000075080000-0x0000000075830000-memory.dmp

memory/4856-223-0x0000000000400000-0x00000000004FE000-memory.dmp

memory/4856-224-0x0000000005A20000-0x0000000005A30000-memory.dmp

memory/4856-225-0x0000000005A20000-0x0000000005A30000-memory.dmp