Malware Analysis Report

2025-04-14 07:24

Sample ID 230915-pjnatsbe3w
Target 05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe
SHA256 05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa
Tags
amadey dcrat djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 up3 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer themida trojan vidar 7b01483643983171e949f923c5bc80e7
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa

Threat Level: Known bad

The file 05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 pub1 up3 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer themida trojan vidar 7b01483643983171e949f923c5bc80e7

Detect Fabookie payload

SmokeLoader

Detected Djvu ransomware

Vidar

Amadey

Djvu Ransomware

Fabookie

DcRat

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Themida packer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks computer location settings

Modifies file permissions

Deletes itself

Checks whether UAC is enabled

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-15 12:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-15 12:21

Reported

2023-09-15 12:24

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\27DA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\474B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a0fc14ab-d682-4890-959b-6b40b37f7722\\27DA.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\27DA.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4A0B.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4A0B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4A0B.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\21CC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20E1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FE1A.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\Temp\20E1.exe
PID 3100 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\Temp\20E1.exe
PID 3100 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\Temp\20E1.exe
PID 3100 wrote to memory of 4136 N/A N/A C:\Users\Admin\AppData\Local\Temp\21CC.exe
PID 3100 wrote to memory of 4136 N/A N/A C:\Users\Admin\AppData\Local\Temp\21CC.exe
PID 3100 wrote to memory of 4136 N/A N/A C:\Users\Admin\AppData\Local\Temp\21CC.exe
PID 3100 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe
PID 3100 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe
PID 3100 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe
PID 3100 wrote to memory of 3176 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3100 wrote to memory of 3176 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3100 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 3100 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 3100 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 3176 wrote to memory of 2988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3176 wrote to memory of 2988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3176 wrote to memory of 2988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2024 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 1864 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\23D1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3100 wrote to memory of 4620 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F5B.exe
PID 3100 wrote to memory of 4620 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F5B.exe
PID 2436 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Windows\SysWOW64\icacls.exe
PID 2436 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Windows\SysWOW64\icacls.exe
PID 2436 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Windows\SysWOW64\icacls.exe
PID 3100 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\474B.exe
PID 3100 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\474B.exe
PID 3100 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\474B.exe
PID 3100 wrote to memory of 4740 N/A N/A C:\Users\Admin\AppData\Local\Temp\4A0B.exe
PID 3100 wrote to memory of 4740 N/A N/A C:\Users\Admin\AppData\Local\Temp\4A0B.exe
PID 3100 wrote to memory of 4740 N/A N/A C:\Users\Admin\AppData\Local\Temp\4A0B.exe
PID 3064 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\474B.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3064 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\474B.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3064 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\474B.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4528 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4528 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4528 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2436 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2436 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\27DA.exe C:\Users\Admin\AppData\Local\Temp\27DA.exe
PID 2400 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2400 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2400 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe

"C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe"

C:\Users\Admin\AppData\Local\Temp\20E1.exe

C:\Users\Admin\AppData\Local\Temp\20E1.exe

C:\Users\Admin\AppData\Local\Temp\21CC.exe

C:\Users\Admin\AppData\Local\Temp\21CC.exe

C:\Users\Admin\AppData\Local\Temp\23D1.exe

C:\Users\Admin\AppData\Local\Temp\23D1.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\26B0.dll

C:\Users\Admin\AppData\Local\Temp\27DA.exe

C:\Users\Admin\AppData\Local\Temp\27DA.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\26B0.dll

C:\Users\Admin\AppData\Local\Temp\27DA.exe

C:\Users\Admin\AppData\Local\Temp\27DA.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\3F5B.exe

C:\Users\Admin\AppData\Local\Temp\3F5B.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a0fc14ab-d682-4890-959b-6b40b37f7722" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\474B.exe

C:\Users\Admin\AppData\Local\Temp\474B.exe

C:\Users\Admin\AppData\Local\Temp\4A0B.exe

C:\Users\Admin\AppData\Local\Temp\4A0B.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\27DA.exe

"C:\Users\Admin\AppData\Local\Temp\27DA.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\27DA.exe

"C:\Users\Admin\AppData\Local\Temp\27DA.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4592 -ip 4592

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 568

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=26192 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb9d969758,0x7ffb9d969768,0x7ffb9d969778

C:\Users\Admin\AppData\Local\Temp\FE1A.exe

C:\Users\Admin\AppData\Local\Temp\FE1A.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1304 --field-trial-handle=1452,i,11415709924395869077,7057854220428018622,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1692 --field-trial-handle=1452,i,11415709924395869077,7057854220428018622,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=26192 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2000 --field-trial-handle=1452,i,11415709924395869077,7057854220428018622,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=26192 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2380 --field-trial-handle=1452,i,11415709924395869077,7057854220428018622,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=26192 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2364 --field-trial-handle=1452,i,11415709924395869077,7057854220428018622,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=26192 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3180 --field-trial-handle=1452,i,11415709924395869077,7057854220428018622,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=26192 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3336 --field-trial-handle=1452,i,11415709924395869077,7057854220428018622,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=26192 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3516 --field-trial-handle=1452,i,11415709924395869077,7057854220428018622,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=3680 --field-trial-handle=1452,i,11415709924395869077,7057854220428018622,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f8 0x44c

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=19218 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD" --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb8eb946f8,0x7ffb8eb94708,0x7ffb8eb94718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1432,2834571810563111335,9702936213323087289,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1468 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1432,2834571810563111335,9702936213323087289,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1880 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=19218 --allow-pre-commit-input --field-trial-handle=1432,2834571810563111335,9702936213323087289,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=19218 --allow-pre-commit-input --field-trial-handle=1432,2834571810563111335,9702936213323087289,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=19218 --allow-pre-commit-input --field-trial-handle=1432,2834571810563111335,9702936213323087289,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=19218 --allow-pre-commit-input --field-trial-handle=1432,2834571810563111335,9702936213323087289,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=19218 --allow-pre-commit-input --field-trial-handle=1432,2834571810563111335,9702936213323087289,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=19218 --allow-pre-commit-input --field-trial-handle=1432,2834571810563111335,9702936213323087289,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1432,2834571810563111335,9702936213323087289,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=audio --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=3508 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 38.181.25.43:3325 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
US 8.8.8.8:53 api-alajman.com udp
GB 193.32.208.75:443 api-alajman.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 75.208.32.193.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 139.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 gudintas.at udp
MX 189.232.123.108:80 gudintas.at tcp
US 8.8.8.8:53 108.123.232.189.in-addr.arpa udp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
US 95.214.27.254:80 tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
US 8.8.8.8:53 h170700.srv22.test-hf.su udp
RU 91.227.16.22:80 h170700.srv22.test-hf.su tcp
US 8.8.8.8:53 22.16.227.91.in-addr.arpa udp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
MX 189.232.123.108:80 gudintas.at tcp
US 95.214.27.254:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.251.36.54:443 i.ytimg.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 54.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 ogs.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 194.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.162:443 googleads.g.doubleclick.net tcp
NL 142.250.179.162:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 95.214.27.254:80 tcp
NL 142.251.36.54:443 i.ytimg.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.250.179.162:443 googleads.g.doubleclick.net tcp
NL 142.250.179.162:443 googleads.g.doubleclick.net udp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
N/A 127.0.0.1:26192 tcp
N/A 127.0.0.1:26192 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
N/A 127.0.0.1:26192 tcp
N/A 127.0.0.1:26192 tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
N/A 127.0.0.1:19218 tcp
N/A 127.0.0.1:19218 tcp
N/A 127.0.0.1:19218 tcp
N/A 127.0.0.1:19218 tcp

Files

memory/4192-0-0x0000000000550000-0x0000000000565000-memory.dmp

memory/4192-1-0x0000000000570000-0x0000000000579000-memory.dmp

memory/4192-2-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4192-3-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3100-4-0x0000000003240000-0x0000000003256000-memory.dmp

memory/4192-5-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4192-8-0x0000000000550000-0x0000000000565000-memory.dmp

memory/4192-9-0x0000000000570000-0x0000000000579000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20E1.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\20E1.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\21CC.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

C:\Users\Admin\AppData\Local\Temp\21CC.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

C:\Users\Admin\AppData\Local\Temp\23D1.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

memory/1652-25-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4136-27-0x00000000007C0000-0x00000000007F0000-memory.dmp

memory/4136-28-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1652-26-0x00000000021A0000-0x00000000021D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23D1.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

memory/1652-39-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27DA.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\Temp\27DA.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/1652-41-0x00000000024D0000-0x00000000024D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26B0.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

memory/4136-44-0x0000000002340000-0x0000000002346000-memory.dmp

memory/4136-45-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26B0.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

memory/2988-49-0x0000000010000000-0x0000000010243000-memory.dmp

memory/2988-48-0x0000000000A50000-0x0000000000A56000-memory.dmp

memory/2024-51-0x0000000002580000-0x000000000269B000-memory.dmp

memory/2024-52-0x00000000024E0000-0x0000000002580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27DA.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/2436-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2436-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2436-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4136-56-0x0000000004AD0000-0x00000000050E8000-memory.dmp

memory/2436-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4136-58-0x0000000005100000-0x000000000520A000-memory.dmp

memory/4136-61-0x0000000002390000-0x00000000023A0000-memory.dmp

memory/4136-60-0x0000000005240000-0x0000000005252000-memory.dmp

memory/1652-62-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/4136-63-0x0000000005260000-0x000000000529C000-memory.dmp

memory/4136-64-0x0000000005300000-0x000000000534C000-memory.dmp

memory/2744-65-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2744-69-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/2744-68-0x00000000011D0000-0x00000000011D6000-memory.dmp

memory/1652-71-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F5B.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

memory/2744-77-0x00000000011C0000-0x00000000011D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F5B.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

memory/4136-74-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4620-83-0x00007FFB8CDA0000-0x00007FFB8D861000-memory.dmp

memory/4620-80-0x0000022D39EF0000-0x0000022D39FA0000-memory.dmp

memory/4620-84-0x0000022D545C0000-0x0000022D545D0000-memory.dmp

memory/4620-85-0x0000022D3BB60000-0x0000022D3BB68000-memory.dmp

memory/4620-86-0x0000022D3BB90000-0x0000022D3BBAA000-memory.dmp

memory/4620-87-0x0000022D3BB70000-0x0000022D3BB76000-memory.dmp

memory/4620-88-0x0000022D3BCE0000-0x0000022D3BD68000-memory.dmp

memory/2988-89-0x00000000025E0000-0x00000000026FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\474B.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\474B.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2988-96-0x0000000002700000-0x00000000027FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4A0B.exe

MD5 cb77680df3b88a997837d29478d8a9fa
SHA1 698ea26835510137871b261181e00ca26f1a96a7
SHA256 8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
SHA512 670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

C:\Users\Admin\AppData\Local\Temp\4A0B.exe

MD5 cb77680df3b88a997837d29478d8a9fa
SHA1 698ea26835510137871b261181e00ca26f1a96a7
SHA256 8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
SHA512 670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

memory/2436-101-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2988-102-0x0000000002700000-0x00000000027FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2988-107-0x0000000002700000-0x00000000027FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4740-117-0x00000000007B0000-0x00000000007B9000-memory.dmp

memory/4740-114-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/4740-118-0x0000000000400000-0x0000000000712000-memory.dmp

memory/1652-112-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/4136-111-0x0000000002390000-0x00000000023A0000-memory.dmp

memory/2988-110-0x0000000002700000-0x00000000027FF000-memory.dmp

C:\Users\Admin\AppData\Local\a0fc14ab-d682-4890-959b-6b40b37f7722\27DA.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/2436-122-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4136-121-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/4136-120-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/4136-123-0x0000000005C00000-0x00000000061A4000-memory.dmp

memory/4136-124-0x00000000056A0000-0x0000000005706000-memory.dmp

memory/2436-125-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27DA.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/2304-129-0x00000000022F0000-0x000000000238E000-memory.dmp

memory/2744-131-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4592-133-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4592-134-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27DA.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/4620-136-0x00007FFB8CDA0000-0x00007FFB8D861000-memory.dmp

memory/4592-137-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/2744-145-0x00000000011C0000-0x00000000011D0000-memory.dmp

memory/3100-146-0x0000000003370000-0x0000000003386000-memory.dmp

memory/4740-150-0x0000000000400000-0x0000000000712000-memory.dmp

memory/2744-152-0x0000000006700000-0x0000000006750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/488-159-0x00007FF77D940000-0x00007FF77D978000-memory.dmp

memory/2744-158-0x0000000008CD0000-0x0000000008E92000-memory.dmp

memory/2744-160-0x00000000093D0000-0x00000000098FC000-memory.dmp

memory/4620-161-0x0000022D545C0000-0x0000022D545D0000-memory.dmp

memory/488-172-0x0000000003050000-0x00000000031C1000-memory.dmp

memory/488-174-0x00000000031D0000-0x0000000003301000-memory.dmp

memory/4136-176-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 2edbbbf500448a2e906b6f60f3115858
SHA1 2044c7522fa475432868dd560d97b045f5bc9795
SHA256 874e2ffa85bf4a2b66018cf8fc27fb5338d7f111cf4471bf5c2df6dbf3d3e1d6
SHA512 22eed409c76140ea9c60a9899891ae33c727a17541512d691ef580b19a2d1a2c48d837c48c0e6efb8c370d6b62d0cdd15a4fd208fcff13cc6c63e922874c60a7

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 2edbbbf500448a2e906b6f60f3115858
SHA1 2044c7522fa475432868dd560d97b045f5bc9795
SHA256 874e2ffa85bf4a2b66018cf8fc27fb5338d7f111cf4471bf5c2df6dbf3d3e1d6
SHA512 22eed409c76140ea9c60a9899891ae33c727a17541512d691ef580b19a2d1a2c48d837c48c0e6efb8c370d6b62d0cdd15a4fd208fcff13cc6c63e922874c60a7

memory/364-186-0x0000000000D50000-0x00000000014A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 2edbbbf500448a2e906b6f60f3115858
SHA1 2044c7522fa475432868dd560d97b045f5bc9795
SHA256 874e2ffa85bf4a2b66018cf8fc27fb5338d7f111cf4471bf5c2df6dbf3d3e1d6
SHA512 22eed409c76140ea9c60a9899891ae33c727a17541512d691ef580b19a2d1a2c48d837c48c0e6efb8c370d6b62d0cdd15a4fd208fcff13cc6c63e922874c60a7

memory/2744-189-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/364-190-0x0000000076FA4000-0x0000000076FA6000-memory.dmp

memory/364-191-0x0000000000D50000-0x00000000014A6000-memory.dmp

memory/1652-194-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/488-195-0x00000000031D0000-0x0000000003301000-memory.dmp

memory/364-196-0x0000000000D50000-0x00000000014A6000-memory.dmp

memory/364-197-0x0000000000D50000-0x00000000014A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\vsaeawr

MD5 cb77680df3b88a997837d29478d8a9fa
SHA1 698ea26835510137871b261181e00ca26f1a96a7
SHA256 8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
SHA512 670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

memory/364-201-0x0000000000D50000-0x00000000014A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1556-203-0x0000000000400000-0x0000000000487000-memory.dmp

memory/1556-206-0x0000000000400000-0x0000000000487000-memory.dmp

memory/364-204-0x0000000000D50000-0x00000000014A6000-memory.dmp

memory/1556-207-0x0000000000400000-0x0000000000487000-memory.dmp

memory/1556-208-0x0000000000C50000-0x0000000000CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 0eab9cbc81b630365ed87e70a3bcf348
SHA1 d6ce2097af6c58fe41f98e1b0f9c264aa552d253
SHA256 e8f1178d92ce896b5f45c707050c3e84527db102bc3687e1e7208dbd34cd7685
SHA512 1417409eee83f2c8d4a15f843374c826cc2250e23dc4d46648643d02bfbf8c463d6aa8b43274bf68be1e780f81d506948bf84903a7a1044b46b12813d67c9498

memory/1556-210-0x0000000005470000-0x00000000054DC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\bccb8ce96182140ed455a4d38153efe8

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

C:\Users\Admin\AppData\Local\Temp\FE1A.exe

MD5 b9d54281382702952367d21a226c47a3
SHA1 8e0eb2d3829523887fe659fb5ab20c0058c9cbda
SHA256 e54f49d1acb2f52c5a889249ec33b5d56135140013b749c920cc53dc461682a6
SHA512 57bca6ca960105604fd75660e89762bc288f69f52c598044867745449518d5f99c4ed1e0801841adb52f82d712410aa6a6bd4119bec44932c05df57aafc7ecdc

C:\Users\Admin\AppData\Local\Temp\FE1A.exe

MD5 b9d54281382702952367d21a226c47a3
SHA1 8e0eb2d3829523887fe659fb5ab20c0058c9cbda
SHA256 e54f49d1acb2f52c5a889249ec33b5d56135140013b749c920cc53dc461682a6
SHA512 57bca6ca960105604fd75660e89762bc288f69f52c598044867745449518d5f99c4ed1e0801841adb52f82d712410aa6a6bd4119bec44932c05df57aafc7ecdc

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Local State

MD5 0945575d569e81f2790e07c7b2f5b0d3
SHA1 a80ac4b394928f06a8a66414f147d26013d4ac0d
SHA256 02f1b9a81456198cb8161d2b69967c2071c63fe301a48835e05e9d99af40be48
SHA512 887a4f3fced8f893fce329124fbee9725fcbafac9441ac95ee79457555e8802848aff47b4e73ee48ef5b2896535fc2d152c1b6f3f0eb92561e0030a5a86d3380

\??\pipe\crashpad_3044_YJEZKXVNWXNDEFOB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Network\TransportSecurity

MD5 c56f7b50653c31b3b669432336f35c8e
SHA1 e14765cc25ade1bac8b6732af7a192e068bcad4b
SHA256 dbbdcc1f567e1b503837fd6f556929edacc625a9cfd454b775a74090f8908e9d
SHA512 82f6637fe3e0fbf4e509a1513eba7a5a47afec89d98d37919130d1c353d81888eebeb8718a6fd6b0119cee3df149b2b01c254276ae8c092fbe34e22d4ea3caba

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Network\Reporting and NEL

MD5 8eac6f8d2428e08a6b80cd00e24abf34
SHA1 5ced273499231e3489ed6937da45d539dfdcc1b5
SHA256 203950531cd05e2515360e41e2bf65ff8da88a50fb4d2375e8acd6481085a0ca
SHA512 a9664a09ffb7924a05962d39a98ed12da61561337773aa41339133812605e4576cc6376d3c6033c467be64ff75d0b15461fd5246e10560e620038d75f8cc6e04

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Network\Network Persistent State

MD5 e3b0e768e5c995a6074a88a4d956b41b
SHA1 4cf02dc1ee9d38531c9dc5c962472a56dbcb46e1
SHA256 17fbe2068f4b76930da30cd7eb42deca268670df567ec1c899fb448ff1c6ae3e
SHA512 5b554bfd7904e97019bfcb5f651f5bc296ab66990b0e2d86f17f8a4e21fb7d5fd5eeccc405953cee1e216022325949d253fa6f333039474f46e0eaa297b89e3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Network\bccb8ce96182140ed455a4d38153efe8

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Local Storage\leveldb\LOG

MD5 1e0969617828b91794eeffed8e418da2
SHA1 cf33911284f3cd4dbb1005f04f3da440fbc6b217
SHA256 ff6fbec7d20b815df94af0d679720434e22f7b6a572c627492e5dc34d230f3b8
SHA512 bf4f645596da5ad4a85871239bb4f41f2725f97598b3e855d1403f7e2f70a6d646a202de7f51226d2c91df3e81639681efd3d131c16e012dc5107f75a5f8bfa4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Local Storage\leveldb\LOG.old

MD5 82becd23199c26660e375df58dc6bb3d
SHA1 212b762e27216a34f2431f7bf565bbe88600523f
SHA256 b95d2c7bffe4e3ecdc7248ec8adc3610e3f635abc713b324e33a30d2adc6d2f0
SHA512 07e17ee7ed2a77f7067c1879f575b9b088fc7e91c041a9a442838c017f8a7646fb5e2d3af4f4766114836e03dd016a018d94b51c4a9760f06a20f5bf93a6034a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 fd678de77aaa818d7c9f0785c2e3c88c
SHA1 43e7354670e36d94f71d5ff7af52bd012aa0e44e
SHA256 597feb4bff13a2a531b2aa0e9f3fd39e89e09b369ac4c4270e32d78d02b8ae40
SHA512 994911b13bef89810965f5b9c777a6e1bb98311b92329ef105d471c517659474cc28eb4708927aabf3a8551361f9acc30c5bc28dd6e37570c7b33d401cb325a8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 52f79efb57dcc7b31cbe4b9a0951fc64
SHA1 c5efc217a270f3d262c1c9824818d4d5d6a98f9b
SHA256 d02aa1f67efe135c946a37a20f7fee8732808ace3662c78314f181dd76d6f593
SHA512 8cd8af93feabd7dd19164353a5937b6b19dab31cb4de6beb30daa8a1873d43d41b2a3eb09c0ecf901c641f7dbaac35ba8cbf6d3d41859d491de25e7b548cbf87

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe594ffb.TMP

MD5 20c154874c7e4c306834e5228623bf2e
SHA1 a0fd2592c910835f4f96c385b592f501214141fa
SHA256 322b683b8f85a16e560cf3a2945e81d26326467ecc644184f82e1ee3422ef999
SHA512 27d68e0d2270e3d0956ed93e6aad9ae03a43c8c2a98692bad7f1a9f39c56dd8690dec0218095a38d4b364db60719ff3e038982d5876d9acd10aedc129a907131

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Code Cache\js\index-dir\the-real-index

MD5 306ff6f7264f630d0ae1b1ac6a6cd90a
SHA1 6db56ed05e77dc9c6cfe0c7def1b73c7cab3496e
SHA256 607236bb3c8b50af195d1b78de66a7fb7b906ede52750ecd06a48fb47c299695
SHA512 48bf4bfd17579dd5ed12ec2203db0fc2a829d9dc7834faf2c22a180b02de2ce7f42a7900c893c0f869bad0ee55ef67fcd8511432d34dc41b05ab6fd11b4f995e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Code Cache\js\index-dir\the-real-index

MD5 cc65e325fede02ad3674985d9c95e368
SHA1 91955e76cfe0c22335ada447595e276becadecad
SHA256 7b5414fe480472b365e807c4b43e614f9b546c52ea768b1cecfac40d53f8d022
SHA512 1d189e1cedde17fbd836eaff851b127abd61cd4b48a87c284f45ae1c636b47397f053f6e8c5359338899be2247d409ed30cf32dfea7fd13d501b37766b703971

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 0f067b403a6fe7b4fb0c9486ce6d5cd6
SHA1 9e9982befd8b9e9e1161245c1f9e402ec6405f6f
SHA256 a8647449326ebe27b0036801b355d7adbbaef7fa0fd6b881279bef342603b87a
SHA512 2efcc7f06fa5aa5c4dadb77d5bfb59aca419442a766522e1135727bc1569e10adca2359814a1f19483f272b5b68e59bd123b24b94646c98dfd867732f8700ee8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe595460.TMP

MD5 034e3bfe98d800bd010b55108d923c00
SHA1 2709139faa5095fe815264ff1be8185c4f676f0b
SHA256 7b60e68c79790733ed99be65d783b7c08a76d279ff0b84329cfd5ee94ecf79bd
SHA512 9ecc0b255f4a3ce6cb30f66ccdfbfda829a080eeda875914e1695b150e68942914f347e6e877bb84284ca70fab103a088fc4e9854852884efff50390cc950f0c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Crashpad\settings.dat

MD5 1394fc0076a2ba37209837c9b2b28511
SHA1 fe4c0d9faf43c040c4496770ce883eff825b2b96
SHA256 d502aebf6c882cdb1d90e2d646507746e1e136ea87c0cefe43863078bf213d89
SHA512 b5acff58cd25b6698c333d56edc5690e399b7d1427db7559fb40f2e1a1af3258370a8d370f97ea78f653765090575f16d3d3c6c2fabf11fcf797d65530500423

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\DevToolsActivePort

MD5 06371f6055fdb9c597d86dac345e67fa
SHA1 5030d5b5ad142b834c17aac88603df80b07c4b12
SHA256 03fa9ebd4d6d2496029ee5939b552b4589d8093054801ac91ecc8c2e20ec4c11
SHA512 be0861ee910437ba911dff4075b0cd10b041b7feda076e9fbf2dd009d39678959d5633e242596d0fca506d610d0ad096e7c9c26afcaaee11ca2d8859f2c80e71

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\data_2

MD5 9ae6e7d16df07fa993738ac6baf63faa
SHA1 0a1fbd94822f68fd2db358e73b75982e3e0620d1
SHA256 d88a9709b5c9b2db0a4d9880238f1aadcff9f32c22ba39263beecf5c2068599b
SHA512 5d5e803e24f875a86e58ddd74fe09d1c34db7e98ede9a942eb33d9d564b4cc001d590f5b3177630adf48d21c6f66255e615df6655980d5bc19a0ed1c35f95e39

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\data_0

MD5 3c62232b762d334a93cb7433fbeff7ca
SHA1 f193c7eca032a8ea9ec448bc339b6fd39bd22ff9
SHA256 4c2cb409a0621e378248e7ee574a3b7dda15359b30ba0a8a21bb1ea1f3f935d7
SHA512 37da25b85bc7f5b07e4012751f89face97d0bec5ffe9929e40a32f158208d51de40eda9f3d824ef67b04e5cb3c6721f4c5fbdf6468d678eb8966acfbea8eb093

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\f_000008

MD5 0bbbb294e81f769dcd211cf105d38523
SHA1 5f69e302181398ab01e2ebeb238f5a5dd2df812f
SHA256 2dec792acf1105a53b1c8b174dbc6dafe100ee6885aed247eb5cd36902c90c78
SHA512 4e6c06e5ecb131e69907e1f0cce2a20420a351bcd7ab0602577077ccc8edff588b1176fb31a2e4c09e9e5d5460663f95549a07451f095d45312a0f86969533b4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\f_000007

MD5 52129e62d5eb39c400e5e8ffc3f513c4
SHA1 f39c492c3c726ea266f2362ebc8902b53d0a677e
SHA256 37357ff2feb91efca153a9b27888fc16ba4e4eab4bf3d9371f9a7569d51542ed
SHA512 df751708c513cae8f07db74efd0d42ad1a855efbf9b192db54ada84cf38113d5b8aae6cbea630482731739086cec8d8062c4f13ab5ed45f8bae735c4c5cf2cee

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\f_000006

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\f_000005

MD5 117b6fa9275a2447a08de6f831448580
SHA1 b1c629759a6cc823b7ea8722a1215e58df804f8e
SHA256 ceb83e479cbf7789242592a3898cd1b815db08de8fe76e194b5857c3cca8649c
SHA512 de7e62959b10325461bf6f75734fd07ef6155e8066107c8d23e98067d656b2e4c8567b939cbaf1720e031a9f4da9536e2bf923ab7c7746f7bf210f887b0e0f78

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\f_000004

MD5 5927c0de61be67b0ec439909ae3e708f
SHA1 5ddebd6d1f2746f63dd2132b418804567150685d
SHA256 5e1d6d330dad169aeda005c9abbab1c62b9dc23f060ca3ea1c9f49eebfc80e38
SHA512 bf6161f025676d370221ef0da686fd510f479a00c8d91e2dc75d7178e27c904ec75c9816bd5b3e940c996774964d5c6368047e0d1bec226f97981a5b53174f79

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\f_000003

MD5 5927c0de61be67b0ec439909ae3e708f
SHA1 5ddebd6d1f2746f63dd2132b418804567150685d
SHA256 5e1d6d330dad169aeda005c9abbab1c62b9dc23f060ca3ea1c9f49eebfc80e38
SHA512 bf6161f025676d370221ef0da686fd510f479a00c8d91e2dc75d7178e27c904ec75c9816bd5b3e940c996774964d5c6368047e0d1bec226f97981a5b53174f79

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\f_000002

MD5 b38618d73414464c59d36b97cc192b46
SHA1 75df2cccc016c2d27734f5ecfcfdd870b96cc06f
SHA256 160e9bf125ca8f8576df7a0116f3678a8189e7e9328f4fa89d4bc4f226fefb61
SHA512 abc1824b7af9fcb7309c30d625de66394a2c123d0b138307d0e8f953d28cea1bd6241b1110c584228a057f76406f29519abc2ad9074687b2d9384f8884140861

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\f_000001

MD5 8d6974dc7e01af35c31d9c6bbad10610
SHA1 e62214cfc9458a83a65845b4259b8cc9ae2c1537
SHA256 783a0f48753b20e7eaf5b9972643b9346e1ca09cea7384000cc30f396d619bde
SHA512 ba41be8fe186830250fe0027e1fa35781dddddc7baea43b31b1aab02dfe9de3e9a521652b3b3243104bfee27d0927e84b0185adcac3761a64358ce1b0686f887

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\data_3

MD5 6c43751fcf51834266845cfcf980e86c
SHA1 c9735b6a53106b1a6c5a4b5dcdd1fef40a01327c
SHA256 59258f0d76e8e072b97bebfc6b87069fc31304a8768bae7c2c60bcb2c48db1e2
SHA512 5c7efa3ec838e2c7bb1a5a358af1348a263d3a13401b83f3c33b0273f83e5a761739ad80cc5f1681e347482831338a2a38ca2730d48fa6e30c08baf1fb2f3a0e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJLOT6\Default\Cache\Cache_Data\data_1

MD5 5c1dea6b4d67e413c938b1a3d9e1ca31
SHA1 88d57cd3949eed0c9c14031c021844aba21f0974
SHA256 7796bbd5223c7156e5d9fa73c52af30e87cac33459b8a76df3ec88cdbe7dbe64
SHA512 05c173dfa172deb3851c86795bfba9e87030b250cee064c93fd90fa81728fc10c795ab1cb0716581fd6608475e804c22a672855ce3f3b9e97328a42a20aed9ce

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

memory/1500-578-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD\Default\Cache\f_000003

MD5 3275a2ca76dc8f815c70a4debc38bfc3
SHA1 9663dfc792adb040b3592ded101a4245dac871f1
SHA256 ebe640f85df69db0097a2809b7989e98e8dc3ecc07452e9428d2f84667f1c8f4
SHA512 5e44bd94fc0c7b8e8de9a4366eeafccd8b5b230de233d925284bfb0b813c42cc27c1fab7e3bc738bc7fc0cb41c198ee03eb38dffd76bedb594a6ac4ccd996fde

memory/3100-643-0x0000000008AE0000-0x0000000008AF6000-memory.dmp

memory/1500-644-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1c815c407215b8cbe99cd25187fac11e
SHA1 238426363cdae70ece5795ae5e44ce327f78419d
SHA256 7c819d51edc60acb5ee69bf663f356581e032460178d9de97951b1dca945164b
SHA512 42d072b3e0def4c9bd572852108504ee12024925e7de46868c97b16e4169e371e7c53e5aa63f651740104b7a5795e48b7f24122a30ca4d85e7059aec65e30865

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 24fb548fb4054b7723b275a876af4f82
SHA1 bb078769956bda4ec43899fe2dcce100105d4260
SHA256 cfca4059648fa1191ae9292e26459f41d74219bad457b6cdd879b5e9a6e77d3e
SHA512 172e7afa318c2ef5318688aa877124a3d5eb6cbeb4e111f2d081e137b345803c6d1be8271a7db2054c333cde866a1218fecc7cebd63dcc0938635fac16ebfe68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD\Default\Code Cache\js\index-dir\the-real-index~RFe59a52f.TMP

MD5 3df27c597a8f1a848961f203297ac956
SHA1 a00b68c7ee351356ee5378947b6a8106045b00da
SHA256 06c93fb69167824da538a6fd410138fac5aace7072ecf96833104f3e1d74845c
SHA512 327c45cb3b31b8cbe66db53449cb1d1e1ec4cc2ac1b52becce39dbb31ba3fa7c375c76da24dd84c84454fc99ecdd68fc12caa6fba73ddc81ed012c824f53ada5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD\Default\Code Cache\js\index-dir\the-real-index

MD5 335561f99cecdc4aaabe6d10c9f15487
SHA1 20b236a7c99a25db2eafd075c7c3a2a603c87918
SHA256 cc8b27116f965fa9537d9a81a519e216a60da8803e8f4ed4e52da5933969caed
SHA512 46cf0a5a972a9473b9f3bbea654ca5b90be96b9ab45f7d89d141a05992e020862d7fce8bf1c6724fc44ef1d267a4834cf3b2aef98fac72f432e774d70beee5fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataRXPWD\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 3ff19f2aad60687939807d184e62f869
SHA1 8db5a60d26866f4e5ec5e4cbda60ad3af5913f27
SHA256 06e649e08b43ceb0b074afac71a865f269057d24c60c6dbb4320478e4a0aacb6
SHA512 710099e46ffc6f6c34723306ce13fe31d398919d5de19f07f50072ca24bae60137a14fd1453e81266a3d00254a56a77ae49aebb503106246590591bf23ea0cd8

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-15 12:21

Reported

2023-09-15 12:24

Platform

win7-20230831-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d166a4a2-c570-4496-969b-87435d777e10\\B002.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\B002.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\B002.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\B002.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\B002.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\B002.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\B002.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ED0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9D87.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D87.exe
PID 1244 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D87.exe
PID 1244 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D87.exe
PID 1244 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D87.exe
PID 1244 wrote to memory of 240 N/A N/A C:\Users\Admin\AppData\Local\Temp\9ED0.exe
PID 1244 wrote to memory of 240 N/A N/A C:\Users\Admin\AppData\Local\Temp\9ED0.exe
PID 1244 wrote to memory of 240 N/A N/A C:\Users\Admin\AppData\Local\Temp\9ED0.exe
PID 1244 wrote to memory of 240 N/A N/A C:\Users\Admin\AppData\Local\Temp\9ED0.exe
PID 1244 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\A382.exe
PID 1244 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\A382.exe
PID 1244 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\A382.exe
PID 1244 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\A382.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2748 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\A382.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1244 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2488 wrote to memory of 2972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 2972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 2972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 2972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 2972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 2972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 2972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1244 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 1244 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 1244 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 1244 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 3016 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 384 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Windows\SysWOW64\icacls.exe
PID 384 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Windows\SysWOW64\icacls.exe
PID 384 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Windows\SysWOW64\icacls.exe
PID 384 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Windows\SysWOW64\icacls.exe
PID 384 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 384 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 384 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 384 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe
PID 2104 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\B002.exe C:\Users\Admin\AppData\Local\Temp\B002.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe

"C:\Users\Admin\AppData\Local\Temp\05d828574c74668fdd02f3a0e093e947cf7e1ee0970be402c775ebb236b812fa_JC.exe"

C:\Users\Admin\AppData\Local\Temp\9D87.exe

C:\Users\Admin\AppData\Local\Temp\9D87.exe

C:\Users\Admin\AppData\Local\Temp\9ED0.exe

C:\Users\Admin\AppData\Local\Temp\9ED0.exe

C:\Users\Admin\AppData\Local\Temp\A382.exe

C:\Users\Admin\AppData\Local\Temp\A382.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AC97.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AC97.dll

C:\Users\Admin\AppData\Local\Temp\B002.exe

C:\Users\Admin\AppData\Local\Temp\B002.exe

C:\Users\Admin\AppData\Local\Temp\B002.exe

C:\Users\Admin\AppData\Local\Temp\B002.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d166a4a2-c570-4496-969b-87435d777e10" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\B002.exe

"C:\Users\Admin\AppData\Local\Temp\B002.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B002.exe

"C:\Users\Admin\AppData\Local\Temp\B002.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FCEA.exe

C:\Users\Admin\AppData\Local\Temp\FCEA.exe

C:\Users\Admin\AppData\Local\Temp\D2.exe

C:\Users\Admin\AppData\Local\Temp\D2.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe

"C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe"

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe

"C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe"

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build3.exe

"C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B916531D-EB6B-431D-9659-C1C091E5F9CF} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MD 176.123.9.142:14845 tcp
US 38.181.25.43:3325 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
MX 187.134.40.51:80 colisumy.com tcp
BG 193.42.32.101:80 193.42.32.101 tcp
UZ 195.158.3.162:80 zexeq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api-alajman.com udp
GB 193.32.208.75:443 api-alajman.com tcp
GB 193.32.208.75:443 api-alajman.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
UZ 195.158.3.162:80 zexeq.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 apps.identrust.com udp
NL 149.154.167.99:443 t.me tcp
US 2.18.121.141:80 apps.identrust.com tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
NL 23.222.49.98:443 steamcommunity.com tcp
DE 116.203.7.16:80 116.203.7.16 tcp

Files

memory/2324-0-0x0000000000220000-0x0000000000235000-memory.dmp

memory/2324-1-0x00000000003E0000-0x00000000003E9000-memory.dmp

memory/2324-2-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1244-3-0x0000000002940000-0x0000000002956000-memory.dmp

memory/2324-4-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2324-8-0x0000000000220000-0x0000000000235000-memory.dmp

memory/2324-7-0x00000000003E0000-0x00000000003E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9D87.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\9D87.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\9ED0.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

C:\Users\Admin\AppData\Local\Temp\9ED0.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/2744-24-0x0000000000230000-0x0000000000260000-memory.dmp

memory/2744-25-0x0000000000400000-0x0000000000445000-memory.dmp

memory/240-29-0x0000000000400000-0x0000000000445000-memory.dmp

memory/240-27-0x00000000002C0000-0x00000000002F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ED0.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

C:\Users\Admin\AppData\Local\Temp\9D87.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

memory/240-36-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2744-37-0x0000000074630000-0x0000000074D1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A382.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

memory/2744-42-0x00000000005B0000-0x00000000005B6000-memory.dmp

memory/240-43-0x00000000004D0000-0x00000000004D6000-memory.dmp

memory/2744-44-0x00000000047E0000-0x0000000004820000-memory.dmp

memory/1528-45-0x0000000000400000-0x0000000000430000-memory.dmp

memory/240-47-0x00000000047D0000-0x0000000004810000-memory.dmp

memory/1528-48-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1528-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1528-49-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1528-50-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1528-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1528-53-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1528-55-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1528-57-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/1528-58-0x0000000000290000-0x0000000000296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC97.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

memory/1528-60-0x00000000006B0000-0x00000000006F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\AC97.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

C:\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/2972-69-0x0000000000170000-0x0000000000176000-memory.dmp

memory/2972-68-0x0000000010000000-0x0000000010243000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/3016-71-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/384-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/384-78-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/3016-76-0x00000000007A0000-0x00000000008BB000-memory.dmp

memory/3016-74-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/384-81-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/240-82-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/384-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2744-83-0x0000000074630000-0x0000000074D1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBAD9.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2744-104-0x00000000047E0000-0x0000000004820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarBC71.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\d166a4a2-c570-4496-969b-87435d777e10\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/384-123-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2972-124-0x0000000001F80000-0x000000000209A000-memory.dmp

memory/2104-128-0x0000000000290000-0x0000000000322000-memory.dmp

memory/2104-130-0x0000000000290000-0x0000000000322000-memory.dmp

memory/2972-132-0x0000000002320000-0x000000000241F000-memory.dmp

\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/1528-131-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/240-129-0x00000000047D0000-0x0000000004810000-memory.dmp

memory/2972-127-0x0000000002320000-0x000000000241F000-memory.dmp

memory/2972-126-0x0000000010000000-0x0000000010243000-memory.dmp

memory/2972-137-0x0000000002320000-0x000000000241F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B002.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/2972-141-0x0000000002320000-0x000000000241F000-memory.dmp

memory/2844-143-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2844-142-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1528-144-0x00000000006B0000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c5ce1da9c476a548f0dbde0db2742fe
SHA1 b50fcbfe6ab81ba523d6c518c28bc3cd1993e84f
SHA256 9a3033806d1a5ad60bb28be1224bb8c068492d32017420789ef42e9b9199edc0
SHA512 e30f12723b1d3a498d29d95b913f49f836fe6a957453918c0d22b37e7447520df4122e90ffe29d090509b2438ce856021f90beecc3e3a7570216c4b58b6ee520

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 89bb141341383b74f559ed43f2217f12
SHA1 947d50268a43e6e9525a2ece9ddfd838c1e967d0
SHA256 06ae6a1ac963bf5f52076548cc66cdbd61ed4c4aeaeb4d546827804484acc63d
SHA512 2050169c0ebf583bee746d4e8983ef7dc1e63043b2ad6a645342db7f6ba98af21d95fd1f5aeb7af714d69ddcfb140c4e65742ba1ce9c449011430bc5c254ab84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fa4ae5fcb44bfaf845b845961180d250
SHA1 8257ee68bdd2bc3ea2723eda7aeba404195d46bf
SHA256 574c66c19561773196a88f115168cf5d73b71fd26f9034606fe38a5535d4df96
SHA512 ad1de0c1d0f5a4a7e3615b48537f75250779368b388520b001d96367d5aa19fa88a9f471d1212e679ab9eaae854374445807877891bf1b803fa6c7886877d253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 ba5dc3715533c4d82aa15e97fa5bf3bd
SHA1 d39d79efcafd5a45dca7d85682af536abd4c41b3
SHA256 676157426e0c6d345424cc00ad1c6f6328d602239ffc02b932ae4e35fd738b07
SHA512 93cd61c63af954c3499d0d6b90801e4f2754e83c037a0a5ad3aa4354b49c68ed47a69dc360ace3989c29259db8b1edd0631f11d713c85cd4624352a8b73820d7

memory/2844-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2844-158-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\FCEA.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

C:\Users\Admin\AppData\Local\Temp\FCEA.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

C:\Users\Admin\AppData\Local\Temp\FCEA.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

memory/2412-164-0x00000000001A0000-0x0000000000250000-memory.dmp

memory/2844-168-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2844-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2844-170-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D2.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\D2.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2412-179-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2412-185-0x0000000000790000-0x0000000000810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2412-187-0x0000000000150000-0x0000000000158000-memory.dmp

memory/2412-188-0x0000000000160000-0x000000000017A000-memory.dmp

memory/2412-189-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2412-190-0x000000001A890000-0x000000001A918000-memory.dmp

memory/2844-191-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/2540-207-0x0000000000270000-0x00000000002C1000-memory.dmp

memory/2540-204-0x0000000002480000-0x0000000002580000-memory.dmp

memory/2016-209-0x0000000000400000-0x0000000000465000-memory.dmp

\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/2016-212-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2016-213-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/2844-224-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\21909164-404f-4bd7-9769-291f05ff4a15\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78610589a8cdcf71fe3a264375a7cdf4
SHA1 2a5bd38501d96e0f6396f855706ec9b9ebfa8d15
SHA256 fd3bf913b9195b549a8760aee37776cce6a2a0af29ad565f21dffaa785eb4ae8
SHA512 bb7894cfc07fbab8ed9650a6d11038422bd79e10fbca487702eef2bf20e05fcad22efe21979862c37d74ae804535fad35d4a2e18ba63b383ebb5f73f133487c7

memory/240-308-0x0000000074630000-0x0000000074D1E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d9765f42f81e84a51238de61eb68623
SHA1 b9cd919778d941cf95a2c34b744c8fbc09d8fb26
SHA256 c54583e228695e7bed7b9bbd7e0f7d320e6d1dbd7a1d85fe7bd4ba56d6c60a8a
SHA512 93339a58a978eee72ff959f7819c5c655e1e77809ab26ecb10e0a3fbc6123496d433a1e5c260323f800993922931eaba98b084147e4b9ce6a8b7efd5e7ec4ed2

memory/1528-329-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2016-361-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2412-376-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2412-392-0x0000000000790000-0x0000000000810000-memory.dmp

memory/2016-405-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2744-407-0x0000000074630000-0x0000000074D1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4