Malware Analysis Report

2025-04-14 07:23

Sample ID 230915-jxmcsscd27
Target 87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c
SHA256 87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c

Threat Level: Known bad

The file 87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan

Amadey

Djvu Ransomware

SmokeLoader

Detected Djvu ransomware

RedLine

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-15 08:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-15 08:02

Reported

2023-09-15 08:05

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D476.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E2F1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4D2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8AD.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\be0ddb95-c0ab-4630-ac81-0f9f65b6c3d1\\D476.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D476.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D718.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D5FE.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 700 wrote to memory of 3804 N/A N/A C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 700 wrote to memory of 3804 N/A N/A C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 700 wrote to memory of 3804 N/A N/A C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 700 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5FE.exe
PID 700 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5FE.exe
PID 700 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5FE.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3804 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 700 wrote to memory of 4108 N/A N/A C:\Users\Admin\AppData\Local\Temp\D718.exe
PID 700 wrote to memory of 4108 N/A N/A C:\Users\Admin\AppData\Local\Temp\D718.exe
PID 700 wrote to memory of 4108 N/A N/A C:\Users\Admin\AppData\Local\Temp\D718.exe
PID 1760 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Windows\SysWOW64\icacls.exe
PID 1760 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Windows\SysWOW64\icacls.exe
PID 1760 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Windows\SysWOW64\icacls.exe
PID 1760 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 1760 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 1760 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 700 wrote to memory of 396 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2F1.exe
PID 700 wrote to memory of 396 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2F1.exe
PID 700 wrote to memory of 396 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2F1.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 700 wrote to memory of 3248 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 700 wrote to memory of 3248 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 396 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\E2F1.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 396 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\E2F1.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 396 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\E2F1.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3884 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3884 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3884 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3884 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4540 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4540 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4540 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4540 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4540 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4540 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4540 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4540 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c.exe

"C:\Users\Admin\AppData\Local\Temp\87e567d57d4ff55b5c517bdce7b8aad0472e926fad98ca47219bd1b91a49e92c.exe"

C:\Users\Admin\AppData\Local\Temp\D476.exe

C:\Users\Admin\AppData\Local\Temp\D476.exe

C:\Users\Admin\AppData\Local\Temp\D5FE.exe

C:\Users\Admin\AppData\Local\Temp\D5FE.exe

C:\Users\Admin\AppData\Local\Temp\D476.exe

C:\Users\Admin\AppData\Local\Temp\D476.exe

C:\Users\Admin\AppData\Local\Temp\D718.exe

C:\Users\Admin\AppData\Local\Temp\D718.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\be0ddb95-c0ab-4630-ac81-0f9f65b6c3d1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\D476.exe

"C:\Users\Admin\AppData\Local\Temp\D476.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E2F1.exe

C:\Users\Admin\AppData\Local\Temp\E2F1.exe

C:\Users\Admin\AppData\Local\Temp\D476.exe

"C:\Users\Admin\AppData\Local\Temp\D476.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1504 -ip 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 568

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\4D2.exe

C:\Users\Admin\AppData\Local\Temp\4D2.exe

C:\Users\Admin\AppData\Local\Temp\4D2.exe

C:\Users\Admin\AppData\Local\Temp\4D2.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7B2.dll

C:\Users\Admin\AppData\Local\Temp\8AD.exe

C:\Users\Admin\AppData\Local\Temp\8AD.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7B2.dll

C:\Users\Admin\AppData\Local\Temp\4D2.exe

"C:\Users\Admin\AppData\Local\Temp\4D2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4D2.exe

"C:\Users\Admin\AppData\Local\Temp\4D2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\14C4.exe

C:\Users\Admin\AppData\Local\Temp\14C4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 796 -ip 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\8AD.exe

C:\Users\Admin\AppData\Local\Temp\8AD.exe

C:\Users\Admin\AppData\Local\Temp\8AD.exe

"C:\Users\Admin\AppData\Local\Temp\8AD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8AD.exe

"C:\Users\Admin\AppData\Local\Temp\8AD.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 572

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.1:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
AR 186.182.55.44:80 colisumy.com tcp
US 8.8.8.8:53 1.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 44.55.182.186.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
MD 176.123.9.142:14845 tcp
US 38.181.25.43:3325 tcp
AR 186.182.55.44:80 colisumy.com tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 mindshot.cl udp
NL 162.0.217.254:443 api.2ip.ua tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/2976-1-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/2976-2-0x0000000000400000-0x0000000000718000-memory.dmp

memory/2976-3-0x00000000008C0000-0x00000000008C9000-memory.dmp

memory/700-4-0x0000000002990000-0x00000000029A6000-memory.dmp

memory/2976-5-0x0000000000400000-0x0000000000718000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

C:\Users\Admin\AppData\Local\Temp\D5FE.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\D5FE.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

memory/3804-20-0x0000000002450000-0x00000000024E7000-memory.dmp

memory/3804-21-0x00000000024F0000-0x000000000260B000-memory.dmp

memory/1760-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D718.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/1760-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

memory/1760-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1760-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D718.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/4956-32-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4956-31-0x00000000006B0000-0x00000000006E0000-memory.dmp

memory/4108-37-0x00000000008E0000-0x0000000000910000-memory.dmp

memory/4108-36-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4956-41-0x0000000073BA0000-0x0000000074350000-memory.dmp

memory/4108-42-0x0000000002540000-0x0000000002546000-memory.dmp

memory/4956-43-0x0000000002360000-0x0000000002366000-memory.dmp

memory/4108-46-0x0000000073BA0000-0x0000000074350000-memory.dmp

C:\Users\Admin\AppData\Local\be0ddb95-c0ab-4630-ac81-0f9f65b6c3d1\D476.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

memory/4108-53-0x0000000004CA0000-0x00000000052B8000-memory.dmp

memory/4108-54-0x00000000052C0000-0x00000000053CA000-memory.dmp

memory/4956-55-0x00000000045C0000-0x00000000045D2000-memory.dmp

memory/4956-56-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/4956-58-0x00000000045E0000-0x000000000461C000-memory.dmp

memory/4108-57-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/4108-59-0x0000000005440000-0x000000000548C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

C:\Users\Admin\AppData\Local\Temp\E2F1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E2F1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2032-70-0x0000000002450000-0x00000000024E8000-memory.dmp

memory/1760-61-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1504-75-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

memory/1504-76-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1504-81-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3248-88-0x000001C05F590000-0x000001C05F640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

memory/3248-89-0x000001C05F9E0000-0x000001C05F9E8000-memory.dmp

memory/3248-91-0x000001C05FA10000-0x000001C05FA2A000-memory.dmp

memory/3248-90-0x00007FFDF1B20000-0x00007FFDF25E1000-memory.dmp

memory/3248-93-0x000001C079D80000-0x000001C079D90000-memory.dmp

memory/3248-92-0x000001C05F9F0000-0x000001C05F9F6000-memory.dmp

memory/3248-94-0x000001C079C10000-0x000001C079C98000-memory.dmp

memory/4956-98-0x0000000073BA0000-0x0000000074350000-memory.dmp

memory/4108-99-0x0000000073BA0000-0x0000000074350000-memory.dmp

memory/4108-100-0x0000000005680000-0x00000000056F6000-memory.dmp

memory/4108-101-0x0000000005700000-0x0000000005792000-memory.dmp

memory/4108-102-0x0000000005DD0000-0x0000000006374000-memory.dmp

memory/4956-103-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/4108-104-0x0000000005840000-0x00000000058A6000-memory.dmp

memory/4108-105-0x0000000004C90000-0x0000000004CA0000-memory.dmp

memory/4108-106-0x0000000006380000-0x0000000006542000-memory.dmp

memory/4108-107-0x0000000006560000-0x0000000006A8C000-memory.dmp

memory/4956-108-0x0000000005B50000-0x0000000005BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D2.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

C:\Users\Admin\AppData\Local\Temp\4D2.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

C:\Users\Admin\AppData\Local\Temp\4D2.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

memory/3488-115-0x0000000002470000-0x0000000002506000-memory.dmp

memory/3248-114-0x00007FFDF1B20000-0x00007FFDF25E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D2.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

memory/4188-118-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4188-120-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3248-121-0x000001C079D80000-0x000001C079D90000-memory.dmp

memory/4188-122-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B2.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

C:\Users\Admin\AppData\Local\Temp\8AD.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\Local\Temp\8AD.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\Local\Temp\7B2.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

memory/4480-130-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/4480-129-0x0000000010000000-0x00000000102D3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fa4ae5fcb44bfaf845b845961180d250
SHA1 8257ee68bdd2bc3ea2723eda7aeba404195d46bf
SHA256 574c66c19561773196a88f115168cf5d73b71fd26f9034606fe38a5535d4df96
SHA512 ad1de0c1d0f5a4a7e3615b48537f75250779368b388520b001d96367d5aa19fa88a9f471d1212e679ab9eaae854374445807877891bf1b803fa6c7886877d253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8f254055a2b1a6a9d837e2f482dca896
SHA1 fcc302475e131b6eacd392f10c6d5c0a42ccebab
SHA256 f69c92b60674597072a36fe8ab23832185b3144a8b2c1fc72c27ca31894f1509
SHA512 a0bba339e5bccac0f1cb701abdca0b823ba85ecdfdc75b50d0acea4801626b743141ed3f43d603af9fd482a46a0a58c7b18ae5099a3c50a32ecb64524802f970

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9a9c79f3f286a68bfa75d240412eeb97
SHA1 57ed0bb45ac6202f6d53e5d72205394aeb69e77f
SHA256 c147e3f824ee25a8de163ceb2b2582b0fe48d36356672e13de847d9fa920e866
SHA512 3ef8df5d493df859983f406c29909e0f968c342a3117871cc40d4cd249e391319a069ce67cb5fadfb4a8c871cc26a6b54a0b5c135a499da8fb45545b00a671ff

C:\Users\Admin\AppData\Local\Temp\4D2.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

memory/4188-136-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3048-140-0x0000000002330000-0x00000000023C2000-memory.dmp

memory/796-145-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14C4.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

C:\Users\Admin\AppData\Local\Temp\4D2.exe

MD5 0019bb22eefdc3287c66e4042c6f675a
SHA1 b7cd8b83c7d100952fe8c52fa0f74a26683ed221
SHA256 a193b062bf35bdec23e7995057fc6268d5e8586507f1c4d9bb4fced250c500d1
SHA512 75883f49636a016519c78ce625e427fa0d324b44dc32fa3124a195cea56558cdb0556e77af096209bcf746822c633bc9d6c5314b5b9756b7b9a97a3ffadc3828

memory/796-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/796-149-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14C4.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

memory/4108-153-0x0000000073BA0000-0x0000000074350000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 9b756bc85e5324eb8f87a69e3f9959ab
SHA1 1778b2e2d6a00c421578a284db1e743931611d66
SHA256 e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e
SHA512 c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

memory/2032-158-0x0000000005070000-0x0000000005076000-memory.dmp

memory/2032-159-0x0000000073BA0000-0x0000000074350000-memory.dmp

memory/2032-156-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2032-160-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/3084-161-0x0000000002030000-0x00000000020C2000-memory.dmp

memory/3084-162-0x0000000002210000-0x000000000232B000-memory.dmp

memory/4324-165-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AD.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/4324-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-167-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-169-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AD.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4480-173-0x0000000002410000-0x0000000002512000-memory.dmp

memory/4480-176-0x0000000002520000-0x0000000002608000-memory.dmp

memory/4956-177-0x0000000073BA0000-0x0000000074350000-memory.dmp

memory/4480-178-0x0000000002520000-0x0000000002608000-memory.dmp

memory/2032-180-0x0000000073BA0000-0x0000000074350000-memory.dmp

memory/4480-181-0x0000000002520000-0x0000000002608000-memory.dmp

memory/4480-182-0x0000000002520000-0x0000000002608000-memory.dmp

memory/2032-183-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/4024-186-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AD.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/4024-187-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4024-189-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2032-192-0x0000000073BA0000-0x0000000074350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4