Malware Analysis Report

2025-04-14 07:23

Sample ID 230915-pt2afabf51
Target 3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe
SHA256 3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b
Tags
amadey djvu redline smokeloader vidar 7b01483643983171e949f923c5bc80e7 logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b

Threat Level: Known bad

The file 3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader vidar 7b01483643983171e949f923c5bc80e7 logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer persistence ransomware spyware stealer trojan themida

Djvu Ransomware

Amadey

Vidar

RedLine

Detected Djvu ransomware

SmokeLoader

Downloads MZ/PE file

Reads user/profile data of web browsers

Themida packer

Checks computer location settings

Deletes itself

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: LoadsDriver

Modifies system certificate store

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-15 12:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-15 12:38

Reported

2023-09-15 12:40

Platform

win7-20230831-en

Max time kernel

152s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F393.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F47E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F921.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1EDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F9E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cwardsd N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F9E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3dc7b767-dbca-4d85-a4bb-3195a6ef9c6a\\F0B5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ac3c97bd-8eac-4125-8916-4c42e0d1328c\\FEED.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FEED.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cwardsd N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cwardsd N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cwardsd N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d01900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\F0B5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\1423.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cwardsd N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F47E.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F393.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 1372 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 1372 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 1372 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 2300 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\F0B5.exe C:\Users\Admin\AppData\Local\Temp\F0B5.exe
PID 1372 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\F393.exe
PID 1372 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\F393.exe
PID 1372 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\F393.exe
PID 1372 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\F393.exe
PID 1372 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\F47E.exe
PID 1372 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\F47E.exe
PID 1372 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\F47E.exe
PID 1372 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\F47E.exe
PID 1372 wrote to memory of 1172 N/A N/A C:\Users\Admin\AppData\Local\Temp\F921.exe
PID 1372 wrote to memory of 1172 N/A N/A C:\Users\Admin\AppData\Local\Temp\F921.exe
PID 1372 wrote to memory of 1172 N/A N/A C:\Users\Admin\AppData\Local\Temp\F921.exe
PID 1372 wrote to memory of 1172 N/A N/A C:\Users\Admin\AppData\Local\Temp\F921.exe
PID 1372 wrote to memory of 2504 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 2504 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 2504 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 2504 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 2504 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1372 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 1372 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 1372 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 1372 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2668 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\FEED.exe C:\Users\Admin\AppData\Local\Temp\FEED.exe
PID 2504 wrote to memory of 2400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 2400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 2400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 2400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 2400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 2400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 2400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1172 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\F921.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe

"C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe"

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

C:\Users\Admin\AppData\Local\Temp\F393.exe

C:\Users\Admin\AppData\Local\Temp\F393.exe

C:\Users\Admin\AppData\Local\Temp\F47E.exe

C:\Users\Admin\AppData\Local\Temp\F47E.exe

C:\Users\Admin\AppData\Local\Temp\F921.exe

C:\Users\Admin\AppData\Local\Temp\F921.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FD56.dll

C:\Users\Admin\AppData\Local\Temp\FEED.exe

C:\Users\Admin\AppData\Local\Temp\FEED.exe

C:\Users\Admin\AppData\Local\Temp\FEED.exe

C:\Users\Admin\AppData\Local\Temp\FEED.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FD56.dll

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ac3c97bd-8eac-4125-8916-4c42e0d1328c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3dc7b767-dbca-4d85-a4bb-3195a6ef9c6a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\FEED.exe

"C:\Users\Admin\AppData\Local\Temp\FEED.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

"C:\Users\Admin\AppData\Local\Temp\F0B5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1423.exe

C:\Users\Admin\AppData\Local\Temp\1423.exe

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

"C:\Users\Admin\AppData\Local\Temp\F0B5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FEED.exe

"C:\Users\Admin\AppData\Local\Temp\FEED.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1423.exe

C:\Users\Admin\AppData\Local\Temp\1423.exe

C:\Users\Admin\AppData\Local\Temp\1EDD.exe

C:\Users\Admin\AppData\Local\Temp\1EDD.exe

C:\Users\Admin\AppData\Local\Temp\1423.exe

"C:\Users\Admin\AppData\Local\Temp\1423.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4F9E.exe

C:\Users\Admin\AppData\Local\Temp\4F9E.exe

C:\Users\Admin\AppData\Local\Temp\1423.exe

"C:\Users\Admin\AppData\Local\Temp\1423.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe

"C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe"

C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe

"C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe"

C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build3.exe

"C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe

"C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe"

C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build3.exe

"C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build3.exe"

C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe

"C:\Users\Admin\AppData\Local\9efb60f8-97e2-4dd2-b234-d36545f5e48a\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {FF1A3ADB-C179-42E7-BA48-4FA2618B7F92} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\cwardsd

C:\Users\Admin\AppData\Roaming\cwardsd

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 211.181.24.132:80 colisumy.com tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 211.181.24.132:80 colisumy.com tcp
BG 193.42.32.101:80 193.42.32.101 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
MD 176.123.9.142:14845 tcp
US 38.181.25.43:3325 tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 api-alajman.com udp
GB 193.32.208.75:443 api-alajman.com tcp
GB 193.32.208.75:443 api-alajman.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 211.181.24.132:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MX 187.134.40.51:80 zexeq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
KR 211.181.24.132:80 colisumy.com tcp
MX 187.134.40.51:80 zexeq.com tcp
MX 187.134.40.51:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
NL 23.222.49.98:443 steamcommunity.com tcp
DE 116.203.7.16:80 116.203.7.16 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 23.222.49.98:443 steamcommunity.com tcp
DE 116.203.7.16:80 116.203.7.16 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.132:80 apps.identrust.com tcp

Files

memory/2824-2-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/2824-1-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2824-3-0x0000000000400000-0x0000000002290000-memory.dmp

memory/1372-4-0x0000000002680000-0x0000000002696000-memory.dmp

memory/2824-5-0x0000000000400000-0x0000000002290000-memory.dmp

memory/2824-8-0x00000000001B0000-0x00000000001B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/2300-18-0x0000000000360000-0x00000000003F2000-memory.dmp

memory/2300-19-0x0000000000360000-0x00000000003F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/2468-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2468-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2300-20-0x0000000002040000-0x000000000215B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\F393.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\F393.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\F47E.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

C:\Users\Admin\AppData\Local\Temp\F47E.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/2468-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2468-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2452-43-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2452-42-0x0000000000230000-0x0000000000260000-memory.dmp

memory/2572-46-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2572-45-0x0000000000250000-0x0000000000280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F921.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

C:\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/2668-63-0x00000000007A0000-0x0000000000832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/2668-75-0x0000000002100000-0x000000000221B000-memory.dmp

memory/2524-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2452-73-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2668-72-0x00000000007A0000-0x0000000000832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\Temp\FD56.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

memory/2524-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2524-76-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F393.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\F47E.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/2572-77-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2800-80-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2800-85-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2800-83-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2800-88-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2800-87-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2800-82-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2800-90-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2800-92-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\Temp\FD56.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

C:\Users\Admin\AppData\Local\Temp\Cab781.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2400-109-0x0000000010000000-0x0000000010243000-memory.dmp

memory/2400-108-0x00000000000C0000-0x00000000000C6000-memory.dmp

memory/2452-110-0x0000000001D50000-0x0000000001D56000-memory.dmp

memory/2800-113-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2572-112-0x0000000000620000-0x0000000000626000-memory.dmp

memory/2800-114-0x00000000003E0000-0x00000000003E6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7fd60359e26a375eafdfa7cf03cce0c
SHA1 5c8d9089f555a1921b62e2813e5af70304b13aa4
SHA256 1cf5160f6149eb554c2a24c0f76aecb698a251789bac6ca8fe74b21a5a595586
SHA512 5bf620445f78b11a22a41b0c194fa718d127b3bb9a01589eed4a7bc75ffe731996f681997bf0303b53115710214e8d1614be11a22460eb3bc1baf3af6b1dea29

C:\Users\Admin\AppData\Local\Temp\TarB88.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fa4ae5fcb44bfaf845b845961180d250
SHA1 8257ee68bdd2bc3ea2723eda7aeba404195d46bf
SHA256 574c66c19561773196a88f115168cf5d73b71fd26f9034606fe38a5535d4df96
SHA512 ad1de0c1d0f5a4a7e3615b48537f75250779368b388520b001d96367d5aa19fa88a9f471d1212e679ab9eaae854374445807877891bf1b803fa6c7886877d253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 bbae22d748224168fecba31dab903ac1
SHA1 78e7914a2d8be3f1c6502352ee75be2d08f126d2
SHA256 525d63c55bb25273ec2622f037410d1fd081539f65bede9a798180d76556fde7
SHA512 a7687db8eacc8a7a18c6f6aee60212aaf002c9c973f0f8c06fe247dfe0c59417dfe7d30370fb7eb020e768ed42300d658e4851f9041f0580453c9ce5094d7fc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de35786c1f737ec058d595f109987db7
SHA1 bc142bcbf73604a27c3db406dc18e38ce5056fc2
SHA256 b53afe879874b952a3d72b4cc5b2a93b08ae3479234b25c5ddbfd3644d22372f
SHA512 7e124c4611f09c0c27d64599fb2859348ca26dcc07e61ce7863976ba706965507c439fdd5c7d1ae7d9ca06e821ecb9757cc5664fda963cc78590cd644bf0c1b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 5894852fe9d98ff30ce86dc80eb2fec0
SHA1 7770dd565947c6a228593539bc3e2f0a52ce1f0d
SHA256 c1b49ac6dfa6eebb66f827eb7a93096566db7ece660ce7cf4e95b8f634c84f5a
SHA512 dbed070fb14d41b80ab3dfdb75da79bbe65b488f325fa2ecbf7f6f4c73de1f1c217cd921ca7798a45fac7173a275c20e95ef64427c78a7a58942a3aab5a9f9da

C:\Users\Admin\AppData\Local\ac3c97bd-8eac-4125-8916-4c42e0d1328c\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\3dc7b767-dbca-4d85-a4bb-3195a6ef9c6a\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/2524-171-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/2468-176-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1824-179-0x00000000002B0000-0x0000000000342000-memory.dmp

memory/1948-181-0x0000000001F90000-0x0000000002022000-memory.dmp

memory/1824-180-0x00000000002B0000-0x0000000000342000-memory.dmp

memory/1948-188-0x0000000001F90000-0x0000000002022000-memory.dmp

\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\Temp\1423.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/384-191-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0B5.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/2452-198-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/384-199-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FEED.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\Temp\1423.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

\Users\Admin\AppData\Local\Temp\1423.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\1423.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/2400-206-0x0000000002300000-0x000000000241A000-memory.dmp

memory/2284-211-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2284-213-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2572-214-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/1516-216-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2400-217-0x0000000002420000-0x000000000251F000-memory.dmp

\Users\Admin\AppData\Local\Temp\1EDD.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

C:\Users\Admin\AppData\Local\Temp\1EDD.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

C:\Users\Admin\AppData\Local\Temp\1EDD.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

memory/2400-222-0x0000000002420000-0x000000000251F000-memory.dmp

memory/2452-224-0x0000000004730000-0x0000000004770000-memory.dmp

memory/2800-226-0x0000000004850000-0x0000000004890000-memory.dmp

memory/2572-227-0x0000000001FC0000-0x0000000002000000-memory.dmp

memory/2800-229-0x0000000074320000-0x0000000074A0E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 5894852fe9d98ff30ce86dc80eb2fec0
SHA1 7770dd565947c6a228593539bc3e2f0a52ce1f0d
SHA256 c1b49ac6dfa6eebb66f827eb7a93096566db7ece660ce7cf4e95b8f634c84f5a
SHA512 dbed070fb14d41b80ab3dfdb75da79bbe65b488f325fa2ecbf7f6f4c73de1f1c217cd921ca7798a45fac7173a275c20e95ef64427c78a7a58942a3aab5a9f9da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fa4ae5fcb44bfaf845b845961180d250
SHA1 8257ee68bdd2bc3ea2723eda7aeba404195d46bf
SHA256 574c66c19561773196a88f115168cf5d73b71fd26f9034606fe38a5535d4df96
SHA512 ad1de0c1d0f5a4a7e3615b48537f75250779368b388520b001d96367d5aa19fa88a9f471d1212e679ab9eaae854374445807877891bf1b803fa6c7886877d253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 89c58535849cc8dc3cf17215a91f263f
SHA1 c9c5926e5d0da6b8bb9dad594ad7b843617e3ab3
SHA256 63839b0265047b670789c911adf74220672c9c505f65f69e735e3721b8d81bb0
SHA512 f71a8bec28b74dbe63afa156d536ad36e5e043aa1b2e3cab084d69308a2a88d28785034d660235f068a175873a912cc8bec9d3c69998096304d54f2d15233203

\Users\Admin\AppData\Local\Temp\1423.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

\Users\Admin\AppData\Local\Temp\1423.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/1576-250-0x0000000000080000-0x0000000000130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1423.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/2284-256-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F9E.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4F9E.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\1423.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2480-271-0x00000000002B0000-0x0000000000342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1423.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1576-278-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2928-281-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1576-282-0x000000001B150000-0x000000001B1D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\SystemID\PersonalID.txt

MD5 324770a7653f940b6e66d90455f6e1a8
SHA1 5b9edb85029710a458f7a77f474721307d2fb738
SHA256 9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30
SHA512 48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 e3c640eced72a28f10eac99da233d9fd
SHA1 1d7678afc24a59de1da0bf74126baf3b8540b5b0
SHA256 87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e
SHA512 bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7

C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/1728-323-0x00000000023B0000-0x00000000024B0000-memory.dmp

memory/1728-326-0x00000000002C0000-0x0000000000311000-memory.dmp

C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/1516-328-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1008-332-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\6b3f5fc4-eb24-442d-8267-fb4edfaff6a3\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1576-349-0x00000000003F0000-0x00000000003F8000-memory.dmp

memory/2800-344-0x0000000004850000-0x0000000004890000-memory.dmp

memory/1560-371-0x0000000002532000-0x0000000002561000-memory.dmp

memory/1576-372-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1712-376-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1576-378-0x0000000000420000-0x0000000000426000-memory.dmp

memory/2452-377-0x0000000004730000-0x0000000004770000-memory.dmp

memory/2572-379-0x0000000001FC0000-0x0000000002000000-memory.dmp

memory/1576-396-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2928-428-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1576-429-0x000000001B150000-0x000000001B1D0000-memory.dmp

memory/1576-455-0x0000000002010000-0x0000000002098000-memory.dmp

memory/1008-471-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1712-487-0x0000000000400000-0x0000000000465000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\37904759341038197208517597

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2800-604-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/1712-609-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2572-612-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2824-632-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2824-633-0x0000000000400000-0x0000000002290000-memory.dmp

memory/2824-642-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2824-643-0x0000000000400000-0x0000000002290000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-15 12:38

Reported

2023-09-15 12:40

Platform

win10v2004-20230915-en

Max time kernel

73s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6099.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\50eaf2fb-e9df-42c5-b027-c465d6c8fd9a\\6099.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6099.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4120 set thread context of 1744 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 984 set thread context of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 2716 set thread context of 2132 N/A C:\Users\Admin\AppData\Local\Temp\6A43.exe C:\Users\Admin\AppData\Local\Temp\6A43.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62ED.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6211.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 984 N/A N/A C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 3196 wrote to memory of 984 N/A N/A C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 3196 wrote to memory of 984 N/A N/A C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 3196 wrote to memory of 4764 N/A N/A C:\Users\Admin\AppData\Local\Temp\6211.exe
PID 3196 wrote to memory of 4764 N/A N/A C:\Users\Admin\AppData\Local\Temp\6211.exe
PID 3196 wrote to memory of 4764 N/A N/A C:\Users\Admin\AppData\Local\Temp\6211.exe
PID 3196 wrote to memory of 1280 N/A N/A C:\Users\Admin\AppData\Local\Temp\62ED.exe
PID 3196 wrote to memory of 1280 N/A N/A C:\Users\Admin\AppData\Local\Temp\62ED.exe
PID 3196 wrote to memory of 1280 N/A N/A C:\Users\Admin\AppData\Local\Temp\62ED.exe
PID 3196 wrote to memory of 4120 N/A N/A C:\Users\Admin\AppData\Local\Temp\6530.exe
PID 3196 wrote to memory of 4120 N/A N/A C:\Users\Admin\AppData\Local\Temp\6530.exe
PID 3196 wrote to memory of 4120 N/A N/A C:\Users\Admin\AppData\Local\Temp\6530.exe
PID 3196 wrote to memory of 264 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3196 wrote to memory of 264 N/A N/A C:\Windows\system32\regsvr32.exe
PID 264 wrote to memory of 4712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 264 wrote to memory of 4712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 264 wrote to memory of 4712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3196 wrote to memory of 2716 N/A N/A C:\Users\Admin\AppData\Local\Temp\6A43.exe
PID 3196 wrote to memory of 2716 N/A N/A C:\Users\Admin\AppData\Local\Temp\6A43.exe
PID 3196 wrote to memory of 2716 N/A N/A C:\Users\Admin\AppData\Local\Temp\6A43.exe
PID 3196 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A80.exe
PID 3196 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A80.exe
PID 3196 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A80.exe
PID 3196 wrote to memory of 4816 N/A N/A C:\Users\Admin\AppData\Local\Temp\7CC4.exe
PID 3196 wrote to memory of 4816 N/A N/A C:\Users\Admin\AppData\Local\Temp\7CC4.exe
PID 3196 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 3196 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 3196 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 3196 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B1D.exe
PID 3196 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B1D.exe
PID 3196 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B1D.exe
PID 3188 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3188 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3188 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3136 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3136 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3136 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3136 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3136 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
PID 3136 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
PID 1976 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\6099.exe
PID 984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\6099.exe C:\Users\Admin\AppData\Local\Temp\6099.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe

"C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b_JC.exe"

C:\Users\Admin\AppData\Local\Temp\6099.exe

C:\Users\Admin\AppData\Local\Temp\6099.exe

C:\Users\Admin\AppData\Local\Temp\6211.exe

C:\Users\Admin\AppData\Local\Temp\6211.exe

C:\Users\Admin\AppData\Local\Temp\62ED.exe

C:\Users\Admin\AppData\Local\Temp\62ED.exe

C:\Users\Admin\AppData\Local\Temp\6530.exe

C:\Users\Admin\AppData\Local\Temp\6530.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6800.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6800.dll

C:\Users\Admin\AppData\Local\Temp\6A43.exe

C:\Users\Admin\AppData\Local\Temp\6A43.exe

C:\Users\Admin\AppData\Local\Temp\7A80.exe

C:\Users\Admin\AppData\Local\Temp\7A80.exe

C:\Users\Admin\AppData\Local\Temp\7CC4.exe

C:\Users\Admin\AppData\Local\Temp\7CC4.exe

C:\Users\Admin\AppData\Local\Temp\85DD.exe

C:\Users\Admin\AppData\Local\Temp\85DD.exe

C:\Users\Admin\AppData\Local\Temp\8B1D.exe

C:\Users\Admin\AppData\Local\Temp\8B1D.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\6099.exe

C:\Users\Admin\AppData\Local\Temp\6099.exe

C:\Users\Admin\AppData\Local\Temp\6A43.exe

C:\Users\Admin\AppData\Local\Temp\6A43.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\50eaf2fb-e9df-42c5-b027-c465d6c8fd9a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6A43.exe

"C:\Users\Admin\AppData\Local\Temp\6A43.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7A80.exe

C:\Users\Admin\AppData\Local\Temp\7A80.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\7A80.exe

"C:\Users\Admin\AppData\Local\Temp\7A80.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\6A43.exe

"C:\Users\Admin\AppData\Local\Temp\6A43.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4472 -ip 4472

C:\Users\Admin\AppData\Local\Temp\7A80.exe

"C:\Users\Admin\AppData\Local\Temp\7A80.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 568

C:\Users\Admin\AppData\Local\Temp\6099.exe

"C:\Users\Admin\AppData\Local\Temp\6099.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6099.exe

"C:\Users\Admin\AppData\Local\Temp\6099.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\bcrvsci

C:\Users\Admin\AppData\Roaming\bcrvsci

C:\Users\Admin\AppData\Roaming\rsrvsci

C:\Users\Admin\AppData\Roaming\rsrvsci

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=54465 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc3b1e9758,0x7ffc3b1e9768,0x7ffc3b1e9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1372 --field-trial-handle=1492,i,5168832870691355403,16251542260051880294,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1664 --field-trial-handle=1492,i,5168832870691355403,16251542260051880294,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=54465 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2000 --field-trial-handle=1492,i,5168832870691355403,16251542260051880294,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=54465 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1956 --field-trial-handle=1492,i,5168832870691355403,16251542260051880294,131072 --disable-features=PaintHolding /prefetch:1

C:\Users\Admin\AppData\Local\Temp\B3A1.exe

C:\Users\Admin\AppData\Local\Temp\B3A1.exe

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=54465 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2544 --field-trial-handle=1492,i,5168832870691355403,16251542260051880294,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=54465 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3160 --field-trial-handle=1492,i,5168832870691355403,16251542260051880294,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=54465 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3320 --field-trial-handle=1492,i,5168832870691355403,16251542260051880294,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=54465 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2172 --field-trial-handle=1492,i,5168832870691355403,16251542260051880294,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=30643 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR" --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc519a46f8,0x7ffc519a4708,0x7ffc519a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,8742143290327629560,3319087513099133264,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1476 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,8742143290327629560,3319087513099133264,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1812 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=30643 --allow-pre-commit-input --field-trial-handle=1468,8742143290327629560,3319087513099133264,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=30643 --allow-pre-commit-input --field-trial-handle=1468,8742143290327629560,3319087513099133264,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=30643 --allow-pre-commit-input --field-trial-handle=1468,8742143290327629560,3319087513099133264,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=30643 --allow-pre-commit-input --field-trial-handle=1468,8742143290327629560,3319087513099133264,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=30643 --allow-pre-commit-input --field-trial-handle=1468,8742143290327629560,3319087513099133264,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3224 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 211.181.24.132:80 colisumy.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 132.24.181.211.in-addr.arpa udp
KR 211.181.24.132:80 colisumy.com tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 api-alajman.com udp
GB 193.32.208.75:443 api-alajman.com tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 75.208.32.193.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 133.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 gudintas.at udp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
US 8.8.8.8:53 123.247.49.186.in-addr.arpa udp
US 95.214.27.254:80 tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
UY 186.49.247.123:80 gudintas.at tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 h170700.srv22.test-hf.su udp
RU 91.227.16.22:80 h170700.srv22.test-hf.su tcp
UY 186.49.247.123:80 gudintas.at tcp
US 8.8.8.8:53 22.16.227.91.in-addr.arpa udp
US 95.214.27.254:80 tcp
UY 186.49.247.123:80 gudintas.at tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
UY 186.49.247.123:80 gudintas.at tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 ogs.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.251.36.54:443 i.ytimg.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 93.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
UY 186.49.247.123:80 gudintas.at tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 54.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.2:443 googleads.g.doubleclick.net tcp
NL 142.251.36.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 2.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 126.132.60.8.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 95.214.27.254:80 tcp

Files

memory/416-1-0x0000000002360000-0x0000000002460000-memory.dmp

memory/416-2-0x0000000003FD0000-0x0000000003FD9000-memory.dmp

memory/416-3-0x0000000000400000-0x0000000002290000-memory.dmp

memory/3196-4-0x0000000001520000-0x0000000001536000-memory.dmp

memory/416-5-0x0000000000400000-0x0000000002290000-memory.dmp

memory/416-8-0x0000000003FD0000-0x0000000003FD9000-memory.dmp

memory/3196-13-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-14-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-15-0x0000000003440000-0x0000000003450000-memory.dmp

memory/3196-16-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-17-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-18-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-19-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-20-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-22-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-21-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-24-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-25-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-26-0x00000000037C0000-0x00000000037D0000-memory.dmp

memory/3196-27-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-28-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-29-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-31-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-33-0x0000000003440000-0x0000000003450000-memory.dmp

memory/3196-32-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-30-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-35-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-34-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-38-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-37-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-39-0x00000000037B0000-0x00000000037C0000-memory.dmp

memory/3196-40-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-43-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-42-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-41-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-44-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-46-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-45-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/3196-47-0x00000000015A0000-0x00000000015B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6099.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\6099.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\6211.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\62ED.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

C:\Users\Admin\AppData\Local\Temp\6211.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\6530.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

C:\Users\Admin\AppData\Local\Temp\62ED.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/4764-65-0x0000000002080000-0x00000000020B0000-memory.dmp

memory/4764-64-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6800.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

C:\Users\Admin\AppData\Local\Temp\6530.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

C:\Users\Admin\AppData\Local\Temp\6A43.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\Temp\6A43.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/1280-77-0x0000000000490000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6800.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

memory/4764-79-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/4764-80-0x00000000023E0000-0x00000000023E6000-memory.dmp

memory/4712-82-0x0000000010000000-0x0000000010243000-memory.dmp

memory/4712-84-0x00000000006A0000-0x00000000006A6000-memory.dmp

memory/1280-86-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1280-87-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/1280-88-0x0000000002300000-0x0000000002306000-memory.dmp

memory/4764-89-0x0000000004B50000-0x0000000005168000-memory.dmp

memory/4764-90-0x0000000005170000-0x000000000527A000-memory.dmp

memory/4712-92-0x00000000024F0000-0x000000000260A000-memory.dmp

memory/4764-93-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/4764-91-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4764-94-0x0000000005280000-0x00000000052BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A80.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\7A80.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/1280-99-0x0000000005300000-0x000000000534C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7CC4.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

C:\Users\Admin\AppData\Local\Temp\7CC4.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

memory/4816-104-0x000001E6E64D0000-0x000001E6E6580000-memory.dmp

memory/4816-105-0x000001E6E6A30000-0x000001E6E6A38000-memory.dmp

memory/4816-106-0x000001E6E8280000-0x000001E6E829A000-memory.dmp

memory/4816-107-0x000001E6E8260000-0x000001E6E8266000-memory.dmp

memory/4816-109-0x000001E6E8BE0000-0x000001E6E8C68000-memory.dmp

memory/4816-108-0x00007FFC3A5D0000-0x00007FFC3B091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85DD.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\85DD.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\8B1D.exe

MD5 cb77680df3b88a997837d29478d8a9fa
SHA1 698ea26835510137871b261181e00ca26f1a96a7
SHA256 8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
SHA512 670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

C:\Users\Admin\AppData\Local\Temp\8B1D.exe

MD5 cb77680df3b88a997837d29478d8a9fa
SHA1 698ea26835510137871b261181e00ca26f1a96a7
SHA256 8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
SHA512 670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

memory/4712-120-0x0000000002610000-0x000000000270F000-memory.dmp

memory/4712-121-0x0000000002610000-0x000000000270F000-memory.dmp

memory/4712-125-0x0000000002610000-0x000000000270F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4712-128-0x0000000002610000-0x000000000270F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1280-133-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/1280-132-0x0000000005440000-0x00000000054B6000-memory.dmp

memory/1280-134-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/1280-135-0x0000000005CF0000-0x0000000005D56000-memory.dmp

memory/1744-136-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1744-137-0x0000000000F10000-0x0000000000F16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/1280-151-0x0000000006240000-0x0000000006402000-memory.dmp

memory/1280-152-0x0000000006420000-0x000000000694C000-memory.dmp

memory/1280-153-0x0000000006A70000-0x0000000006AC0000-memory.dmp

memory/4816-154-0x000001E6E82F0000-0x000001E6E8300000-memory.dmp

memory/1744-155-0x0000000000F30000-0x0000000000F40000-memory.dmp

memory/1016-156-0x00007FF78ADA0000-0x00007FF78ADD8000-memory.dmp

memory/2920-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1744-158-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/2920-161-0x0000000000400000-0x0000000000537000-memory.dmp

memory/984-163-0x00000000023CA000-0x000000000245C000-memory.dmp

memory/2920-162-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6099.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/984-164-0x0000000002490000-0x00000000025AB000-memory.dmp

memory/4764-165-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/2920-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2716-177-0x00000000022A0000-0x0000000002340000-memory.dmp

memory/1280-178-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/4764-179-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/2716-180-0x0000000002480000-0x000000000259B000-memory.dmp

memory/2132-183-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2132-184-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6A43.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/2132-181-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2132-188-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\50eaf2fb-e9df-42c5-b027-c465d6c8fd9a\6099.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/1016-195-0x0000000003170000-0x00000000032E1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 fc7b7e470cad522c9e745680cfc1540b
SHA1 73eb41cabe50c1bacc7e1a927d432575a4f89b7d
SHA256 0f2961fd6ac542c957c0fd4d8d548b5ce7ff5d378be0f8610fb5bca91601fa69
SHA512 cecf2d4c72a075c6480aa597ac229190d25102289063ebfffc4838a0701721e5e3150482042170df857bc72e50189869a27da93d515c218efbf3238c28275546

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fa4ae5fcb44bfaf845b845961180d250
SHA1 8257ee68bdd2bc3ea2723eda7aeba404195d46bf
SHA256 574c66c19561773196a88f115168cf5d73b71fd26f9034606fe38a5535d4df96
SHA512 ad1de0c1d0f5a4a7e3615b48537f75250779368b388520b001d96367d5aa19fa88a9f471d1212e679ab9eaae854374445807877891bf1b803fa6c7886877d253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 3737ca0dadc4bd91ba856cfb41deb0f0
SHA1 890c87541ae585c31edee49109319345a69606cd
SHA256 364bb990cf15e687d662faab350425d2ec596553a99d248ea70ac3e6c275399b
SHA512 50b8f6647ce39bafa9f57c2d3b10ea33b6857b5375480ab79836a1dc7d3f9e5c86ef01ae30f3e59981110474df2401ccf1ddb3f5ca2a9db06cef33ac0d66154a

memory/2132-213-0x0000000000400000-0x0000000000537000-memory.dmp

memory/956-220-0x0000000000400000-0x0000000000537000-memory.dmp

memory/956-218-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A80.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\6A43.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/956-230-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A80.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\50eaf2fb-e9df-42c5-b027-c465d6c8fd9a\6099.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

memory/3196-241-0x00000000086F0000-0x0000000008706000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6A43.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/4472-244-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 2edbbbf500448a2e906b6f60f3115858
SHA1 2044c7522fa475432868dd560d97b045f5bc9795
SHA256 874e2ffa85bf4a2b66018cf8fc27fb5338d7f111cf4471bf5c2df6dbf3d3e1d6
SHA512 22eed409c76140ea9c60a9899891ae33c727a17541512d691ef580b19a2d1a2c48d837c48c0e6efb8c370d6b62d0cdd15a4fd208fcff13cc6c63e922874c60a7

memory/2944-250-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 2edbbbf500448a2e906b6f60f3115858
SHA1 2044c7522fa475432868dd560d97b045f5bc9795
SHA256 874e2ffa85bf4a2b66018cf8fc27fb5338d7f111cf4471bf5c2df6dbf3d3e1d6
SHA512 22eed409c76140ea9c60a9899891ae33c727a17541512d691ef580b19a2d1a2c48d837c48c0e6efb8c370d6b62d0cdd15a4fd208fcff13cc6c63e922874c60a7

memory/4472-255-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4472-251-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 2edbbbf500448a2e906b6f60f3115858
SHA1 2044c7522fa475432868dd560d97b045f5bc9795
SHA256 874e2ffa85bf4a2b66018cf8fc27fb5338d7f111cf4471bf5c2df6dbf3d3e1d6
SHA512 22eed409c76140ea9c60a9899891ae33c727a17541512d691ef580b19a2d1a2c48d837c48c0e6efb8c370d6b62d0cdd15a4fd208fcff13cc6c63e922874c60a7

C:\Users\Admin\AppData\Local\Temp\7A80.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\6099.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Local\Temp\6099.exe

MD5 c828a18ae02d9687af059652a5e5d727
SHA1 152145105af2ab1ed99f8751a8d7adb153d2119d
SHA256 41fbf22c6efa23735ea2ce86cf609683e4b1f9d3057a7b1e495d2e3c5628f12a
SHA512 99605c96db625901c4fa03b8e018cab4829e06c26d219a64085da167b3b78f1ef20ec5891c41df7c6aa060ddd9872ff40935d4265dc1f2c5be73f178d99770ea

C:\Users\Admin\AppData\Roaming\bcrvsci

MD5 cb77680df3b88a997837d29478d8a9fa
SHA1 698ea26835510137871b261181e00ca26f1a96a7
SHA256 8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
SHA512 670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 9b756bc85e5324eb8f87a69e3f9959ab
SHA1 1778b2e2d6a00c421578a284db1e743931611d66
SHA256 e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e
SHA512 c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d9091840a18c8c91e92ad926d81bed5a

MD5 f53cd54f5241e19d3ab626549d30b97d
SHA1 822239d3833d1911987fc7b6b2e7b4bbe9a512ed
SHA256 fa8fd1ac5b0953f753a607e678283be2e039e6c829bc1d97f72b8989b1ecff67
SHA512 28466545ebb8275787bc95229f521c3bcce54281a5078fb98f1215a48e564089bba7c23a38dfada4580a2f2a58730a0f13aca7327d3016c808e73e58a063d2ac

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\CrashpadMetrics-active.pma

MD5 d998db6bb78f1336ff0e927205cd5dcd
SHA1 4d4a205d698b61b661514654b3917375f8ab644a
SHA256 32bce0ec12f35821550b935f0f9d841c1dcb83e9316c804190d0aa26881e9d9f
SHA512 c8e05fd8ab522baeab3742ceec64eea154ebb72f9408c82babec3d01ecad67886626c13a126b9290074d4149eef1be56853e9aea72c455147fe3f7039bbfe21f

C:\Users\Admin\AppData\Roaming\bcrvsci

MD5 cb77680df3b88a997837d29478d8a9fa
SHA1 698ea26835510137871b261181e00ca26f1a96a7
SHA256 8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
SHA512 670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Local State

MD5 d6070a47a6ab87d863aaf36846e7b8dc
SHA1 e07689a6eb26c74286eab3698034b27647bb0bf3
SHA256 b1fe4e859a2ad0ed30a894e90fa98b7e952b1cf28564e8a18dc3a70c14c50d2f
SHA512 64fce8f9ca8f04d8c844a521579932859edd4ada91201150dd76f85a63cb552e32af4a85d303a7039fd9a537a9eadbc8b21f840c0c89782582edf466bf3ba2d7

\??\pipe\crashpad_3904_XUAJGPROWJTMAZQA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\bcrvsci

MD5 cb77680df3b88a997837d29478d8a9fa
SHA1 698ea26835510137871b261181e00ca26f1a96a7
SHA256 8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
SHA512 670dbaf3bfd723aff6b3e7f3fbbaf5db684ff0f2241b65acd8895197f801af63882bdb64ef084ea7781e0f8ec703f9bf1e80c042fa05b634382e79a10c212a81

C:\Users\Admin\AppData\Roaming\rsrvsci

MD5 f4e8f176190abbbc6c31cfd0371d5478
SHA1 589a5253e70a05c3db7621eb15f91ab8059750cb
SHA256 3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b
SHA512 f13e993b3b1fc00089d0a3e2b7ccf130608afbce7d32e6a15aca23be68d9a90848d7885dfaab77d2b833869cd8313a7e4c6bdd4cd309b0ebd179293ffdfc0e7c

C:\Users\Admin\AppData\Roaming\rsrvsci

MD5 f4e8f176190abbbc6c31cfd0371d5478
SHA1 589a5253e70a05c3db7621eb15f91ab8059750cb
SHA256 3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b
SHA512 f13e993b3b1fc00089d0a3e2b7ccf130608afbce7d32e6a15aca23be68d9a90848d7885dfaab77d2b833869cd8313a7e4c6bdd4cd309b0ebd179293ffdfc0e7c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Local Storage\leveldb\LOG

MD5 346aae020c9ae0b1f3e928210f656034
SHA1 e77b2dbc246de170ba9d782c04ccaf3a7595d275
SHA256 ac922a0b493e05cf61d7ca6ffaf7e2b76e2a4551fb49c08deabe24012563774e
SHA512 0879ecb90d4133737b2f8733ac26836f45ccc406091761c51d18adbb3c641b663afdd5d006764028e87b8ccfd9434db9ce7ca564273b1063a6edccce425ee137

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Local Storage\leveldb\LOG.old

MD5 b363c87bf17469d18fe7f2e24e137ae2
SHA1 65798c589ecd7a8a8f5256823a66e3eb6593a8e6
SHA256 405e59b9338b66c9887ca421466353b1bade3328c7a4d6ae441e0aabff7be6b7
SHA512 0de3fb3bc0323d456b2b9c28ace1947142761a4f40e8c8b3da46f21896e52a6b13899ce80c93c1c2e0c195d629974ec800be29cf1b23ea98dcb53e69588bc203

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Network\TransportSecurity

MD5 e531546c59f24861a600f14fdb1203ac
SHA1 513f53996f570724878a4715a541f44a3d2329af
SHA256 fafee6d30fc84e62320995b3cbf2b275d1a315a06bbcc63df822016ba7bef833
SHA512 85b762a8a4e649075d3fb78dec0511f338f7884ca7fd7c70c583dde85e970fc0d7a187063240d98b524f9ef5c04649d34a7aff8219877110c0ebc5f34c03fccc

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Network\Reporting and NEL

MD5 f7bc111b368e68cf314eb912ce1dd93c
SHA1 465484c8004b6439d0ef54598ce01819b4a374f8
SHA256 94b5e6a5ab9ec9a8672d0f5ec40a9c88db366c85ee35d10c1e80df6010b6ba3b
SHA512 4d6596a35236dd6efa1cc66f6d9bef4b169550d7909f5639cb8df3b63d9fd3628cfd935f609f1fdc820f5a0b5114cb58463928df6bd00fbbccdec8b65de7f8d7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Network\Network Persistent State

MD5 9849f7cb0cd592eb994e8bd4efb4f4cb
SHA1 7fc59f9d2582f71d44f74ee14b667310ad2528fa
SHA256 d5c3f278417f883ca04bb39d7e494d7e56c44a17b1758b2a11c7e8f07f70ba71
SHA512 d2caa172e43f1ab0c4907205059673745dfa8ae3067bfc072e82863b20dc4028c026a44edc61f60b01671a648b281f7fffa6be9c78a092839d9402b8c70150e1

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Network\d9091840a18c8c91e92ad926d81bed5a

MD5 f53cd54f5241e19d3ab626549d30b97d
SHA1 822239d3833d1911987fc7b6b2e7b4bbe9a512ed
SHA256 fa8fd1ac5b0953f753a607e678283be2e039e6c829bc1d97f72b8989b1ecff67
SHA512 28466545ebb8275787bc95229f521c3bcce54281a5078fb98f1215a48e564089bba7c23a38dfada4580a2f2a58730a0f13aca7327d3016c808e73e58a063d2ac

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Network\Cookies

MD5 f53cd54f5241e19d3ab626549d30b97d
SHA1 822239d3833d1911987fc7b6b2e7b4bbe9a512ed
SHA256 fa8fd1ac5b0953f753a607e678283be2e039e6c829bc1d97f72b8989b1ecff67
SHA512 28466545ebb8275787bc95229f521c3bcce54281a5078fb98f1215a48e564089bba7c23a38dfada4580a2f2a58730a0f13aca7327d3016c808e73e58a063d2ac

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Temp\B3A1.exe

MD5 b9d54281382702952367d21a226c47a3
SHA1 8e0eb2d3829523887fe659fb5ab20c0058c9cbda
SHA256 e54f49d1acb2f52c5a889249ec33b5d56135140013b749c920cc53dc461682a6
SHA512 57bca6ca960105604fd75660e89762bc288f69f52c598044867745449518d5f99c4ed1e0801841adb52f82d712410aa6a6bd4119bec44932c05df57aafc7ecdc

C:\Users\Admin\AppData\Local\Temp\B3A1.exe

MD5 b9d54281382702952367d21a226c47a3
SHA1 8e0eb2d3829523887fe659fb5ab20c0058c9cbda
SHA256 e54f49d1acb2f52c5a889249ec33b5d56135140013b749c920cc53dc461682a6
SHA512 57bca6ca960105604fd75660e89762bc288f69f52c598044867745449518d5f99c4ed1e0801841adb52f82d712410aa6a6bd4119bec44932c05df57aafc7ecdc

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 52bea1f71397987a28acc2c7dd8728fe
SHA1 ee6db2631b500bf56f048d7c90a42f769d5a060c
SHA256 5ab7842d76815002e7b5e219fd626ab912f01a832bc8adf763dfc1e246c72c22
SHA512 0b868ceeec3122f3fa2156454e89f513f3bfa5200533d563f46cbda860c9c38fdb539b36f50704b6e641c10cc83d9e24e1276fe83d0bacc1058febef1620a838

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 62203dddb1318eb8a178099a11a38439
SHA1 38e84094af02fd08316e3cfad7141168b959951a
SHA256 fd54c00bec91eff3d756c81a097c64b8e99da21b67e6394c54071b8e0f1a232c
SHA512 46ea81e46323634e246625929f2dcc56dc4df5156e1732d035f30faa12011099b3bc18cd4c815b76544f73521f615ad342b286178f2214e549d8186eb656aff1

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe59d2e6.TMP

MD5 84aadd29d06936077b3fe8d08087dc8e
SHA1 4224eee1769f6385c19201a41870a498a2ef6639
SHA256 e76f43468826c3cec5bddc30e4f3fa59de775ca7d0e72049add36716ec5f96e0
SHA512 327eb0dbc0c164b15de3b6c9b0aea53e4f59537f552e81f015b1d71a13e50ec496e2343ea0620039ff451a4d667cfb3598cf70877647d14fb734e8972a929b95

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Code Cache\js\index-dir\the-real-index

MD5 ecb982ef3bfa0edd3e2664f27bcf0b2b
SHA1 e85cf363389646281cf3855cd265297cf83b3474
SHA256 41d3f5fcfcb979b584f450f2f3517a373ad23d1e258423a1ee073ffa343730f7
SHA512 6aa9239a850afc1911922b91788c874c5498c22dd39eb8c7a8f359bb882c4752a31f5345ce4449c7d9e01d1b7779aeb06e3a3c8a1db31c7f7af94c09ee07c0b1

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Code Cache\js\index-dir\the-real-index

MD5 936f4645ce7930f38eb4495265f7c768
SHA1 36e65f08e36d913646e220aefca24883e1f9d4cc
SHA256 59e3243c542a200c4415732c5c136a81008add8a59bb72da169a98426f1a4358
SHA512 bbd7471f5aa53d44a88636019d61c915d484397cb21e0d62fa8a243ec0b54b7c1d1d3ef35c6b01e3a54199d2a7b4fed05bc7187157718227e04c2d66d1cd80fd

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 5d04f5ab45c218fca4caa5fda0270568
SHA1 7f48c46547084cbdd4c8ec1319bfe826b98d77d2
SHA256 37ff69986b266eb4807cc4ea4d6628d9e01b8e79c64c7fcd949c848ed6629197
SHA512 a183de8a72225c9412871ef3634cad3a776c8e2f5999499f8dd2df72ac6656daddd51490218ba167eee2a794da73fce035036bbdadaf2676f7e6193352e06c42

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMCWX6\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59d6ce.TMP

MD5 dad794f6f7a83d52757c7d4eb003b3a0
SHA1 729b6fa0e2b0ebc10682315385152a75b38deb34
SHA256 eae031961116b0ebc877ad2960f4122eda8d34b80a69b4effe69fc8fbd7552ad
SHA512 7a522b567263870c20588d1cbb2465e0a53ae0063872a7d5972ed9267320596ea37f0d0eeb4b85d5e35c310c8a3ce67c22132d6a5a6d6b4c75e51a6d9294525e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR\Default\Cache\f_000002

MD5 b38618d73414464c59d36b97cc192b46
SHA1 75df2cccc016c2d27734f5ecfcfdd870b96cc06f
SHA256 160e9bf125ca8f8576df7a0116f3678a8189e7e9328f4fa89d4bc4f226fefb61
SHA512 abc1824b7af9fcb7309c30d625de66394a2c123d0b138307d0e8f953d28cea1bd6241b1110c584228a057f76406f29519abc2ad9074687b2d9384f8884140861

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR\Default\Cache\f_000004

MD5 117b6fa9275a2447a08de6f831448580
SHA1 b1c629759a6cc823b7ea8722a1215e58df804f8e
SHA256 ceb83e479cbf7789242592a3898cd1b815db08de8fe76e194b5857c3cca8649c
SHA512 de7e62959b10325461bf6f75734fd07ef6155e8066107c8d23e98067d656b2e4c8567b939cbaf1720e031a9f4da9536e2bf923ab7c7746f7bf210f887b0e0f78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR\Default\Cache\f_000003

MD5 3275a2ca76dc8f815c70a4debc38bfc3
SHA1 9663dfc792adb040b3592ded101a4245dac871f1
SHA256 ebe640f85df69db0097a2809b7989e98e8dc3ecc07452e9428d2f84667f1c8f4
SHA512 5e44bd94fc0c7b8e8de9a4366eeafccd8b5b230de233d925284bfb0b813c42cc27c1fab7e3bc738bc7fc0cb41c198ee03eb38dffd76bedb594a6ac4ccd996fde

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR\Default\Cache\f_000005

MD5 d574939016c1b0511053c934958d9a25
SHA1 1ebb35cd6af10fce71dcd4778c9bbcd9822ef999
SHA256 ad0ad0fb63aff674e004faa8c826d6523a79532133fc07eb9a2ee5a1d367ec66
SHA512 48758079cd42e05da63126f5119d15a4f79520095d062b67490b637df8fc12d567eaa2ec9c083d747093fbefedc651fbb3a2bc4f2fbbab9b5a09379626a40ceb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR\Default\Cache\f_000009

MD5 988d7e7658cf9792f05bbcac3905f8f2
SHA1 5d58bd5ae00d36ba67c9ae5e294828b00793d9ed
SHA256 066aca3681b0fa4f2621e36dbb29b22fab5b381cdcd97d3d4a2e53e2fd45bce6
SHA512 435c99a3eb65609ef8b2e6d139283a406b409a2e4a190a956750330e3b82b0f0ed97f2bbd1c27c5ee347ca9bff5b8a9b7d978eddb15854d9341867f565c398d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR\Default\Cache\f_000008

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataNFMMR\Default\Cache\f_00000c

MD5 af3fd9112cfc0b1aec8c5b5774af2e91
SHA1 0d400af10b489087ecfd48cd27fe372b615f0525
SHA256 faf28e677b1fac070c57c3cd187606128c4fd1b5a3886c146d3348719dae3bcf
SHA512 ef8e5ca22d5a89795c65e3d457eebfdf69ab976cd6d3f7470051b3e8a7d915cc2265b55da6ddf8dd00e633d59b937de7629d7627575eb6d6c11a70c3af6e4047