Malware Analysis Report

2025-04-14 06:57

Sample ID 230925-hmd31ach4w
Target 6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02
SHA256 92bae6489afe6cf33498c44a743fb72dd803f6e405b5ffe05217596612943a67
Tags
djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery evasion infostealer persistence ransomware themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92bae6489afe6cf33498c44a743fb72dd803f6e405b5ffe05217596612943a67

Threat Level: Known bad

The file 6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02 was found to be: Known bad.

Malicious Activity Summary

djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery evasion infostealer persistence ransomware themida trojan upx

Detected Djvu ransomware

Djvu Ransomware

SmokeLoader

RedLine

Downloads MZ/PE file

Stops running service(s)

Themida packer

Deletes itself

Executes dropped EXE

Modifies file permissions

UPX packed file

Loads dropped DLL

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-25 06:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-25 06:50

Reported

2023-09-25 06:53

Platform

win7-20230831-en

Max time kernel

34s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9gVwutqg1XklBEbBAYfueKoF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GMe79FZr6SUDcDcWLERr3dTA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ne1MmnGXjenI8Ly5YAS0ufrV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\343a7681-a84e-4fd6-a318-db679668b209\\ACD3.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ACD3.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\AE0C.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\ACD3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\ACD3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\ACD3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 1212 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 1212 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 1212 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 1212 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe
PID 1212 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe
PID 1212 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe
PID 1212 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 2664 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe
PID 1212 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe
PID 1212 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe
PID 1212 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe
PID 2512 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2512 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\B30C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2832 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\SysWOW64\WerFault.exe
PID 2832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\SysWOW64\WerFault.exe
PID 2832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\SysWOW64\WerFault.exe
PID 2832 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\AE0C.exe C:\Windows\SysWOW64\WerFault.exe
PID 2628 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ACD3.exe C:\Users\Admin\AppData\Local\Temp\ACD3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe

"C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe"

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

C:\Users\Admin\AppData\Local\Temp\AE0C.exe

C:\Users\Admin\AppData\Local\Temp\AE0C.exe

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\B30C.exe

C:\Users\Admin\AppData\Local\Temp\B30C.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 60

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\343a7681-a84e-4fd6-a318-db679668b209" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

"C:\Users\Admin\AppData\Local\Temp\ACD3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

"C:\Users\Admin\AppData\Local\Temp\ACD3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\CB2E.exe

C:\Users\Admin\AppData\Local\Temp\CB2E.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\Pictures\B8LOOFfXaEa5ti6rBEiH6q0t.exe

"C:\Users\Admin\Pictures\B8LOOFfXaEa5ti6rBEiH6q0t.exe"

C:\Users\Admin\Pictures\Z4wjq8eZKZ4jflHlAQndjqu8.exe

"C:\Users\Admin\Pictures\Z4wjq8eZKZ4jflHlAQndjqu8.exe"

C:\Users\Admin\Pictures\OTpaRxFBCe2fekBPXIuk0Ujy.exe

"C:\Users\Admin\Pictures\OTpaRxFBCe2fekBPXIuk0Ujy.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\Pictures\bo95OYRzRLnLTQ0wzr1q4DEf.exe

"C:\Users\Admin\Pictures\bo95OYRzRLnLTQ0wzr1q4DEf.exe"

C:\Users\Admin\Pictures\X6ubZUy0JZ4J7TRSPhKjqp9c.exe

"C:\Users\Admin\Pictures\X6ubZUy0JZ4J7TRSPhKjqp9c.exe"

C:\Users\Admin\Pictures\ldfS2PgXjqFbJIg6AbFkLAKk.exe

"C:\Users\Admin\Pictures\ldfS2PgXjqFbJIg6AbFkLAKk.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\FC3F.exe

C:\Users\Admin\AppData\Local\Temp\FC3F.exe

C:\Users\Admin\AppData\Local\Temp\7zSF41F.tmp\Install.exe

.\Install.exe

C:\Users\Admin\Pictures\lLTi50S13cQc1zWrfdv1ZtjU.exe

"C:\Users\Admin\Pictures\lLTi50S13cQc1zWrfdv1ZtjU.exe"

C:\Users\Admin\Pictures\yTNyfsnCFewbW0I7ag8TmXEr.exe

"C:\Users\Admin\Pictures\yTNyfsnCFewbW0I7ag8TmXEr.exe" /s

C:\Users\Admin\AppData\Local\Temp\7zS464.tmp\Install.exe

.\Install.exe /jyafdidIl "385118" /S

C:\Users\Admin\AppData\Local\Temp\FC3F.exe

C:\Users\Admin\AppData\Local\Temp\FC3F.exe

C:\Users\Admin\Pictures\JE8MLLgEelAnknA8OTJitBA8.exe

"C:\Users\Admin\Pictures\JE8MLLgEelAnknA8OTJitBA8.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\Pictures\EFjmKtmrUpNrTT5A9nnFoBzn.exe

"C:\Users\Admin\Pictures\EFjmKtmrUpNrTT5A9nnFoBzn.exe"

C:\Users\Admin\AppData\Local\Temp\FC3F.exe

"C:\Users\Admin\AppData\Local\Temp\FC3F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\ci.exe

"C:\Users\Admin\AppData\Local\Temp\ci.exe"

C:\Users\Admin\AppData\Local\Temp\FC3F.exe

"C:\Users\Admin\AppData\Local\Temp\FC3F.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Users\Admin\AppData\Local\Temp\is-7BGCB.tmp\is-BKPES.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7BGCB.tmp\is-BKPES.tmp" /SL4 $50178 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\89076706.exe

C:\Users\Admin\AppData\Local\Temp\89076706.exe

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 hbn42414.beget.tech udp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 104.21.90.117:80 ji.alie3ksgbb.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 galandskiyher3.com udp
US 188.114.96.0:443 jetpackdelivery.net tcp
NL 13.227.219.74:443 downloads.digitalpulsedata.com tcp
US 104.21.93.225:443 flyawayaero.net tcp
US 172.67.187.122:443 lycheepanel.info tcp
NL 194.169.175.127:80 galandskiyher3.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 172.67.180.173:443 potatogoose.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
PL 146.59.10.173:45035 tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 104.192.108.17:80 int.down.360safe.com tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 wasasoftcom.info udp
RU 77.246.100.5:80 wasasoftcom.info tcp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 nuevo.strattegi.com.co udp
US 107.180.58.67:443 nuevo.strattegi.com.co tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.0:443 justsafepay.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 tr.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
DE 148.251.234.93:443 iplogger.com tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 seriopoli.info udp
RU 77.246.100.5:80 seriopoli.info tcp
DE 52.29.179.141:80 s.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
SA 51.211.69.92:80 zexeq.com tcp
SA 51.211.69.92:80 zexeq.com tcp

Files

memory/2892-1-0x0000000002A00000-0x0000000002B00000-memory.dmp

memory/2892-3-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2892-2-0x0000000000400000-0x000000000259F000-memory.dmp

memory/1212-4-0x00000000029A0000-0x00000000029B6000-memory.dmp

memory/2892-5-0x0000000000400000-0x000000000259F000-memory.dmp

memory/1212-12-0x000007FF07930000-0x000007FF0793A000-memory.dmp

memory/1212-11-0x000007FEF5AE0000-0x000007FEF5C23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

C:\Users\Admin\AppData\Local\Temp\AE0C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

C:\Users\Admin\AppData\Local\Temp\AE0C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/2664-24-0x0000000003E40000-0x0000000003ED1000-memory.dmp

memory/2664-29-0x0000000003EE0000-0x0000000003FFB000-memory.dmp

memory/2628-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

memory/2628-32-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

memory/2664-26-0x0000000003E40000-0x0000000003ED1000-memory.dmp

memory/2628-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2628-36-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\B30C.exe

MD5 3240f8928a130bb155571570c563200a
SHA1 aa621ddde551f7e0dbeed157ab1eac3f1906f493
SHA256 a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42
SHA512 e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b

\Users\Admin\AppData\Local\Temp\B30C.exe

MD5 3240f8928a130bb155571570c563200a
SHA1 aa621ddde551f7e0dbeed157ab1eac3f1906f493
SHA256 a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42
SHA512 e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b

C:\Users\Admin\AppData\Local\Temp\B30C.exe

MD5 3240f8928a130bb155571570c563200a
SHA1 aa621ddde551f7e0dbeed157ab1eac3f1906f493
SHA256 a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42
SHA512 e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b

\Users\Admin\AppData\Local\Temp\B30C.exe

MD5 3240f8928a130bb155571570c563200a
SHA1 aa621ddde551f7e0dbeed157ab1eac3f1906f493
SHA256 a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42
SHA512 e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b

memory/1952-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1884-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1952-48-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1952-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1884-47-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1952-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1952-53-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1884-52-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1952-54-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1952-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1952-58-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\Temp\AE0C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

\Users\Admin\AppData\Local\Temp\AE0C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

\Users\Admin\AppData\Local\Temp\AE0C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/1884-69-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/1952-70-0x00000000743A0000-0x0000000074A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB888.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/1952-80-0x00000000003D0000-0x00000000003D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarBA8E.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

\Users\Admin\AppData\Local\Temp\AE0C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

C:\Users\Admin\AppData\Local\343a7681-a84e-4fd6-a318-db679668b209\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

memory/1884-100-0x0000000004A60000-0x0000000004AA0000-memory.dmp

\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

memory/2628-104-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

memory/2248-106-0x0000000003D40000-0x0000000003DD1000-memory.dmp

memory/2248-107-0x0000000003D40000-0x0000000003DD1000-memory.dmp

memory/1212-108-0x000007FEF5AE0000-0x000007FEF5C23000-memory.dmp

\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

C:\Users\Admin\AppData\Local\Temp\ACD3.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd5e813175aae671667f3e7de1484dac
SHA1 50f56b2268d44cf394cfbaa33b856489a24bf86f
SHA256 3ee385ab35e76b6a947a8023929e37cd1daac64a8cf09c3148244f22986abf38
SHA512 576f41077b40d13df050a8544dfb806e4d76b512341bcac06c5db820122f73d2857223651bce96dd8b0e50c294165a590e1444aa950cd63ccee78cdd746305cc

memory/1952-141-0x0000000001010000-0x0000000001050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CB2E.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/2260-146-0x0000000000100000-0x0000000000794000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CB2E.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/2260-147-0x00000000743A0000-0x0000000074A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/1884-169-0x00000000743A0000-0x0000000074A8E000-memory.dmp

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/1952-176-0x00000000743A0000-0x0000000074A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1752-178-0x00000000FF460000-0x00000000FF502000-memory.dmp

memory/1360-187-0x0000000002630000-0x0000000002730000-memory.dmp

C:\Users\Admin\Pictures\X6ubZUy0JZ4J7TRSPhKjqp9c.exe

MD5 5c081cd0843659c028df5892e55d744f
SHA1 21d71d9dcccdf84ddb42166d4ded7ba3177d92b0
SHA256 e699a9070cce4e659afcef949d65262e97bae7d506ccd620d5c42b3a42a456c9
SHA512 a5af87769a513ce4356184066d74db2b6863229fedfee4947c87eff83b17e7f4b25e68d2a51b47c217108ad2d95d5aabe7fe665e70cbfadbee9c62605eb0ac40

memory/1360-203-0x0000000000230000-0x0000000000239000-memory.dmp

C:\Users\Admin\Pictures\bo95OYRzRLnLTQ0wzr1q4DEf.exe

MD5 3251a5b914312322ed0f87bfe122be9b
SHA1 22a3c42651139fbbb90085beecc3ea96bd4ddb4c
SHA256 e6da6fd81dbbfc3907ba1b8e9b360bf236bade382d358025598617e35743a44c
SHA512 bf43149e176e4819c5997184ad555a704d2256eca0bd744c4a9a63b06df9bbf70e763dafb9d2c4255a9d0af4f3e55c2125f862c90bae69fd65435bc9c7a4153f

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2360-214-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\Pictures\bo95OYRzRLnLTQ0wzr1q4DEf.exe

MD5 3251a5b914312322ed0f87bfe122be9b
SHA1 22a3c42651139fbbb90085beecc3ea96bd4ddb4c
SHA256 e6da6fd81dbbfc3907ba1b8e9b360bf236bade382d358025598617e35743a44c
SHA512 bf43149e176e4819c5997184ad555a704d2256eca0bd744c4a9a63b06df9bbf70e763dafb9d2c4255a9d0af4f3e55c2125f862c90bae69fd65435bc9c7a4153f

\Users\Admin\Pictures\Z4wjq8eZKZ4jflHlAQndjqu8.exe

MD5 c582d0c4448b428dddb04a6a21f440ff
SHA1 8ba225fe248601a8192c0e0a51bb78c15f825656
SHA256 f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148
SHA512 0ae54b79ef4e54f5314078710fa2189935c0334b6cd8383ed68541174ab45f5488c5a4d3be94fbbe30a8fc3b6481ea0e56de5956f0ac9e874c2596c92ad47378

\Users\Admin\Pictures\OTpaRxFBCe2fekBPXIuk0Ujy.exe

MD5 c4b2746f3a537cbb67d711ad68f426da
SHA1 58ace4f60e6df363165a151d23f251794aa03374
SHA256 53cbbb0de98df5576d26e820cb528bc8f7a23e1395bb950c791cd1386dda0a7d
SHA512 3c6d276b056eb03631b7cbc4525dfb2dc9cd722691db47595c0ec241f57f0bd38689b79c079d70aab199a91ea7a6d06a230410339cbc6a284ad0bfd10190ebca

C:\Users\Admin\Pictures\OTpaRxFBCe2fekBPXIuk0Ujy.exe

MD5 c4b2746f3a537cbb67d711ad68f426da
SHA1 58ace4f60e6df363165a151d23f251794aa03374
SHA256 53cbbb0de98df5576d26e820cb528bc8f7a23e1395bb950c791cd1386dda0a7d
SHA512 3c6d276b056eb03631b7cbc4525dfb2dc9cd722691db47595c0ec241f57f0bd38689b79c079d70aab199a91ea7a6d06a230410339cbc6a284ad0bfd10190ebca

\Users\Admin\Pictures\Z4wjq8eZKZ4jflHlAQndjqu8.exe

MD5 c582d0c4448b428dddb04a6a21f440ff
SHA1 8ba225fe248601a8192c0e0a51bb78c15f825656
SHA256 f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148
SHA512 0ae54b79ef4e54f5314078710fa2189935c0334b6cd8383ed68541174ab45f5488c5a4d3be94fbbe30a8fc3b6481ea0e56de5956f0ac9e874c2596c92ad47378

\Users\Admin\Pictures\Z4wjq8eZKZ4jflHlAQndjqu8.exe

MD5 c582d0c4448b428dddb04a6a21f440ff
SHA1 8ba225fe248601a8192c0e0a51bb78c15f825656
SHA256 f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148
SHA512 0ae54b79ef4e54f5314078710fa2189935c0334b6cd8383ed68541174ab45f5488c5a4d3be94fbbe30a8fc3b6481ea0e56de5956f0ac9e874c2596c92ad47378

\Users\Admin\Pictures\Z4wjq8eZKZ4jflHlAQndjqu8.exe

MD5 c582d0c4448b428dddb04a6a21f440ff
SHA1 8ba225fe248601a8192c0e0a51bb78c15f825656
SHA256 f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148
SHA512 0ae54b79ef4e54f5314078710fa2189935c0334b6cd8383ed68541174ab45f5488c5a4d3be94fbbe30a8fc3b6481ea0e56de5956f0ac9e874c2596c92ad47378

\Users\Admin\Pictures\B8LOOFfXaEa5ti6rBEiH6q0t.exe

MD5 2d05cb7fb4726bb51c6059540f0e013e
SHA1 e7d75ad671c662ba956e54ccfff28465e851624d
SHA256 8f116aee53abca68ca7be71a7b5574c84f5df03d38fc8a524ce4d256ab380aa4
SHA512 890999d65ab16445eb6743ad83802c14d3798da9485a973b237dc3c419683358e9c2609a3566594e53a60ae207561724c06c533c4d1fa2c42f9f9056e0e8b82b

C:\Users\Admin\Pictures\Z4wjq8eZKZ4jflHlAQndjqu8.exe

MD5 c582d0c4448b428dddb04a6a21f440ff
SHA1 8ba225fe248601a8192c0e0a51bb78c15f825656
SHA256 f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148
SHA512 0ae54b79ef4e54f5314078710fa2189935c0334b6cd8383ed68541174ab45f5488c5a4d3be94fbbe30a8fc3b6481ea0e56de5956f0ac9e874c2596c92ad47378

C:\Users\Admin\Pictures\B8LOOFfXaEa5ti6rBEiH6q0t.exe

MD5 2d05cb7fb4726bb51c6059540f0e013e
SHA1 e7d75ad671c662ba956e54ccfff28465e851624d
SHA256 8f116aee53abca68ca7be71a7b5574c84f5df03d38fc8a524ce4d256ab380aa4
SHA512 890999d65ab16445eb6743ad83802c14d3798da9485a973b237dc3c419683358e9c2609a3566594e53a60ae207561724c06c533c4d1fa2c42f9f9056e0e8b82b

\Users\Admin\Pictures\B8LOOFfXaEa5ti6rBEiH6q0t.exe

MD5 2d05cb7fb4726bb51c6059540f0e013e
SHA1 e7d75ad671c662ba956e54ccfff28465e851624d
SHA256 8f116aee53abca68ca7be71a7b5574c84f5df03d38fc8a524ce4d256ab380aa4
SHA512 890999d65ab16445eb6743ad83802c14d3798da9485a973b237dc3c419683358e9c2609a3566594e53a60ae207561724c06c533c4d1fa2c42f9f9056e0e8b82b

C:\Users\Admin\Pictures\Z4wjq8eZKZ4jflHlAQndjqu8.exe

MD5 c582d0c4448b428dddb04a6a21f440ff
SHA1 8ba225fe248601a8192c0e0a51bb78c15f825656
SHA256 f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148
SHA512 0ae54b79ef4e54f5314078710fa2189935c0334b6cd8383ed68541174ab45f5488c5a4d3be94fbbe30a8fc3b6481ea0e56de5956f0ac9e874c2596c92ad47378

C:\Users\Admin\Pictures\Z4wjq8eZKZ4jflHlAQndjqu8.exe

MD5 c582d0c4448b428dddb04a6a21f440ff
SHA1 8ba225fe248601a8192c0e0a51bb78c15f825656
SHA256 f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148
SHA512 0ae54b79ef4e54f5314078710fa2189935c0334b6cd8383ed68541174ab45f5488c5a4d3be94fbbe30a8fc3b6481ea0e56de5956f0ac9e874c2596c92ad47378

C:\Users\Admin\Pictures\OTpaRxFBCe2fekBPXIuk0Ujy.exe

MD5 c4b2746f3a537cbb67d711ad68f426da
SHA1 58ace4f60e6df363165a151d23f251794aa03374
SHA256 53cbbb0de98df5576d26e820cb528bc8f7a23e1395bb950c791cd1386dda0a7d
SHA512 3c6d276b056eb03631b7cbc4525dfb2dc9cd722691db47595c0ec241f57f0bd38689b79c079d70aab199a91ea7a6d06a230410339cbc6a284ad0bfd10190ebca

\Users\Admin\Pictures\OTpaRxFBCe2fekBPXIuk0Ujy.exe

MD5 c4b2746f3a537cbb67d711ad68f426da
SHA1 58ace4f60e6df363165a151d23f251794aa03374
SHA256 53cbbb0de98df5576d26e820cb528bc8f7a23e1395bb950c791cd1386dda0a7d
SHA512 3c6d276b056eb03631b7cbc4525dfb2dc9cd722691db47595c0ec241f57f0bd38689b79c079d70aab199a91ea7a6d06a230410339cbc6a284ad0bfd10190ebca

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/2360-232-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/1884-226-0x0000000004A60000-0x0000000004AA0000-memory.dmp

\Users\Admin\Pictures\bo95OYRzRLnLTQ0wzr1q4DEf.exe

MD5 3251a5b914312322ed0f87bfe122be9b
SHA1 22a3c42651139fbbb90085beecc3ea96bd4ddb4c
SHA256 e6da6fd81dbbfc3907ba1b8e9b360bf236bade382d358025598617e35743a44c
SHA512 bf43149e176e4819c5997184ad555a704d2256eca0bd744c4a9a63b06df9bbf70e763dafb9d2c4255a9d0af4f3e55c2125f862c90bae69fd65435bc9c7a4153f

\Users\Admin\Pictures\bo95OYRzRLnLTQ0wzr1q4DEf.exe

MD5 3251a5b914312322ed0f87bfe122be9b
SHA1 22a3c42651139fbbb90085beecc3ea96bd4ddb4c
SHA256 e6da6fd81dbbfc3907ba1b8e9b360bf236bade382d358025598617e35743a44c
SHA512 bf43149e176e4819c5997184ad555a704d2256eca0bd744c4a9a63b06df9bbf70e763dafb9d2c4255a9d0af4f3e55c2125f862c90bae69fd65435bc9c7a4153f

C:\Users\Admin\Pictures\X6ubZUy0JZ4J7TRSPhKjqp9c.exe

MD5 5c081cd0843659c028df5892e55d744f
SHA1 21d71d9dcccdf84ddb42166d4ded7ba3177d92b0
SHA256 e699a9070cce4e659afcef949d65262e97bae7d506ccd620d5c42b3a42a456c9
SHA512 a5af87769a513ce4356184066d74db2b6863229fedfee4947c87eff83b17e7f4b25e68d2a51b47c217108ad2d95d5aabe7fe665e70cbfadbee9c62605eb0ac40

\Users\Admin\Pictures\X6ubZUy0JZ4J7TRSPhKjqp9c.exe

MD5 5c081cd0843659c028df5892e55d744f
SHA1 21d71d9dcccdf84ddb42166d4ded7ba3177d92b0
SHA256 e699a9070cce4e659afcef949d65262e97bae7d506ccd620d5c42b3a42a456c9
SHA512 a5af87769a513ce4356184066d74db2b6863229fedfee4947c87eff83b17e7f4b25e68d2a51b47c217108ad2d95d5aabe7fe665e70cbfadbee9c62605eb0ac40

\Users\Admin\Pictures\X6ubZUy0JZ4J7TRSPhKjqp9c.exe

MD5 5c081cd0843659c028df5892e55d744f
SHA1 21d71d9dcccdf84ddb42166d4ded7ba3177d92b0
SHA256 e699a9070cce4e659afcef949d65262e97bae7d506ccd620d5c42b3a42a456c9
SHA512 a5af87769a513ce4356184066d74db2b6863229fedfee4947c87eff83b17e7f4b25e68d2a51b47c217108ad2d95d5aabe7fe665e70cbfadbee9c62605eb0ac40

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\Pictures\ldfS2PgXjqFbJIg6AbFkLAKk.exe

MD5 11094fde4395bd223cdc7b3f808d582e
SHA1 4d9cc9752f55b905126702e465cd4d6a43579db1
SHA256 146438ee83873275b6a971ee675f29aaf6040819a3d95202f76c51dcde96bdb7
SHA512 68ffa4357c7b046b33e0e2c1b7a411e6a3358e246deddc502c9c11535facf265c2fb71284362b5f8f6e6d28f64279a9a4b9019e5b51196cfebbcf962cd4bf5aa

C:\Users\Admin\Pictures\B8LOOFfXaEa5ti6rBEiH6q0t.exe

MD5 2d05cb7fb4726bb51c6059540f0e013e
SHA1 e7d75ad671c662ba956e54ccfff28465e851624d
SHA256 8f116aee53abca68ca7be71a7b5574c84f5df03d38fc8a524ce4d256ab380aa4
SHA512 890999d65ab16445eb6743ad83802c14d3798da9485a973b237dc3c419683358e9c2609a3566594e53a60ae207561724c06c533c4d1fa2c42f9f9056e0e8b82b

C:\Users\Admin\Pictures\ldfS2PgXjqFbJIg6AbFkLAKk.exe

MD5 11094fde4395bd223cdc7b3f808d582e
SHA1 4d9cc9752f55b905126702e465cd4d6a43579db1
SHA256 146438ee83873275b6a971ee675f29aaf6040819a3d95202f76c51dcde96bdb7
SHA512 68ffa4357c7b046b33e0e2c1b7a411e6a3358e246deddc502c9c11535facf265c2fb71284362b5f8f6e6d28f64279a9a4b9019e5b51196cfebbcf962cd4bf5aa

C:\Users\Admin\Pictures\ldfS2PgXjqFbJIg6AbFkLAKk.exe

MD5 11094fde4395bd223cdc7b3f808d582e
SHA1 4d9cc9752f55b905126702e465cd4d6a43579db1
SHA256 146438ee83873275b6a971ee675f29aaf6040819a3d95202f76c51dcde96bdb7
SHA512 68ffa4357c7b046b33e0e2c1b7a411e6a3358e246deddc502c9c11535facf265c2fb71284362b5f8f6e6d28f64279a9a4b9019e5b51196cfebbcf962cd4bf5aa

memory/2888-263-0x0000000004320000-0x0000000004718000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2309250651413972972.dll

MD5 6aceaeba686345df2e1f3284cc090abe
SHA1 5cc8eb87a170c5bc91472cd6cc6d435370ae741b
SHA256 73e29a88eccb162b70b366b9c91986b7bf5ce90b9072eaa88f146fb06e8d8885
SHA512 8448a64feaed4bb1af04c9a34d92c5ecfbf7da3c4cb2a1f23ccc024cfd53da8a18a6bdb45c8c337f212c23e0f1b25da44118e9b41774d7aa74b6e0a64f944d69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b113f45b45c8ea2e12e7d46af371b13b
SHA1 3f5f6a1e78b7e50c6b811ef89291cc0cd04bb9ea
SHA256 364e1a09ee108864c32103ad86fe28f833c36ee269adf6c2b875c253a70a172c
SHA512 d26d938b2e490e09d855c9dd4a31fc32c3ff9c771a92a0c00b00e832b50ce04719c604016c589270e7ba23944dc85d99e6bf4c9ed298748793bb6023ec7530de

\Users\Admin\AppData\Local\Temp\7zSF41F.tmp\Install.exe

MD5 e7d34bf1997ab7450fa65621eeb231b6
SHA1 3e8aef62c5d4dfa0ffa8c59b0a8eefb6582481eb
SHA256 86fdf002f79d8ffdc4d63790da26827e809d4ac05eec81659f189615a4dbf79f
SHA512 6d2e5cdf4d795f4e13cfc029fb263e54a93f82356144de41181c895b840dace2d8ae012ebe281d17c74539392e0825cba2e46dbb9cc98b4801232afd30d3c635

C:\Users\Admin\AppData\Local\Temp\FC3F.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

C:\Users\Admin\AppData\Local\Temp\FC3F.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

C:\Users\Admin\AppData\Local\Temp\7zSF41F.tmp\Install.exe

MD5 e7d34bf1997ab7450fa65621eeb231b6
SHA1 3e8aef62c5d4dfa0ffa8c59b0a8eefb6582481eb
SHA256 86fdf002f79d8ffdc4d63790da26827e809d4ac05eec81659f189615a4dbf79f
SHA512 6d2e5cdf4d795f4e13cfc029fb263e54a93f82356144de41181c895b840dace2d8ae012ebe281d17c74539392e0825cba2e46dbb9cc98b4801232afd30d3c635

\Users\Admin\AppData\Local\Temp\7zSF41F.tmp\Install.exe

MD5 e7d34bf1997ab7450fa65621eeb231b6
SHA1 3e8aef62c5d4dfa0ffa8c59b0a8eefb6582481eb
SHA256 86fdf002f79d8ffdc4d63790da26827e809d4ac05eec81659f189615a4dbf79f
SHA512 6d2e5cdf4d795f4e13cfc029fb263e54a93f82356144de41181c895b840dace2d8ae012ebe281d17c74539392e0825cba2e46dbb9cc98b4801232afd30d3c635

\Users\Admin\AppData\Local\Temp\7zSF41F.tmp\Install.exe

MD5 e7d34bf1997ab7450fa65621eeb231b6
SHA1 3e8aef62c5d4dfa0ffa8c59b0a8eefb6582481eb
SHA256 86fdf002f79d8ffdc4d63790da26827e809d4ac05eec81659f189615a4dbf79f
SHA512 6d2e5cdf4d795f4e13cfc029fb263e54a93f82356144de41181c895b840dace2d8ae012ebe281d17c74539392e0825cba2e46dbb9cc98b4801232afd30d3c635

C:\Users\Admin\AppData\Local\Temp\7zSF41F.tmp\Install.exe

MD5 e7d34bf1997ab7450fa65621eeb231b6
SHA1 3e8aef62c5d4dfa0ffa8c59b0a8eefb6582481eb
SHA256 86fdf002f79d8ffdc4d63790da26827e809d4ac05eec81659f189615a4dbf79f
SHA512 6d2e5cdf4d795f4e13cfc029fb263e54a93f82356144de41181c895b840dace2d8ae012ebe281d17c74539392e0825cba2e46dbb9cc98b4801232afd30d3c635

C:\Users\Admin\Pictures\yTNyfsnCFewbW0I7ag8TmXEr.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

memory/1212-320-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/1840-322-0x0000000003E50000-0x0000000003EE2000-memory.dmp

memory/2360-321-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1828-416-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1828-418-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Pictures\JE8MLLgEelAnknA8OTJitBA8.exe

MD5 01206ed92910ce58526e694749ff3e82
SHA1 37ee91aae8d6b2047607bcfb07cfcfa3aedc97c4
SHA256 5a28576593d1f6218f098e907daee2f0f191ddc3bacd472cc9ac5593c13351fc
SHA512 3d382ee06bebfcb12171193cea0c887efb3b3e3cdf532db9b109f8ee4cf0a907ffa6b20974d3a5cc8b52d33bacfbbd22a003e725bce7e5213f93c89ac6f8a2d1

memory/1840-427-0x0000000003EF0000-0x000000000400B000-memory.dmp

memory/1840-426-0x0000000003E50000-0x0000000003EE2000-memory.dmp

memory/1460-436-0x0000000010000000-0x0000000010581000-memory.dmp

memory/1440-464-0x0000000000FA0000-0x0000000001114000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e0be0c55680160ca1e1be9195fc31b0
SHA1 681cc75b9d9bdca351544419b44b0ebaf8802f37
SHA256 ce657f6285fdbbc52ff080c11be3ff1762d222765b5af89f04ada2ffa653f976
SHA512 76ce38349a73e929690b069fcf57cdd415289b62befca40cd42fc97f2cdbda9a9b311b60fd6463d016d72e3f629d66e16787d9f7c1417be877ab250d24c658ba

memory/2260-510-0x00000000743A0000-0x0000000074A8E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22391850c912bf986daf836029778eb0
SHA1 27fc2b3ece56dc70a9ca07a597937a44b9f1f17c
SHA256 816410af9a98cfaab7013314ea4129ecf9005d6f7a25ee5afa9e8fd6632f733a
SHA512 58cfb8c479a97f1d197ff61439f0814216b22ff52a48b68321eb5bea60f38a6e54ee4b5b23842ea7664de52952d85a8ef9a5849e360f2c4a77b6e2703a7f5a6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a47fff7392931a7049622f31d387f98
SHA1 c2017855b4747c699c0e6054c99c05d2d4caf446
SHA256 0e57c7cd56217742464cd2b235646989487024ccd1ca6366a5128c9fd1c2bddc
SHA512 ed81f1167c9d351bd877e8b2cc5c7d2373595d2931c375e10302b0c66d0e940a1f5c5407963706b98b393241294329fcc3de18d74d27de51893184b980cdd44b

C:\Users\Admin\Pictures\EFjmKtmrUpNrTT5A9nnFoBzn.exe

MD5 5d4ebc4ec639ab7dd68ea0f1acf7f11c
SHA1 bb7d05bf3557c9b09c000b4de7d9a872d0553d34
SHA256 e51a4bd2e1026030b27d5d1a52d1d1f28d45f7c39a9f0d5a1fccb1ba17b76474
SHA512 9c006a04ef090a65dc4a0f2fc452a966b3d4888325b28f40678e25c736f0a83d4d793aac8bfa033c5a9f5c62193639d1a5e7a04ff13d355672cd3064531d7a3a

memory/1828-641-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2872-642-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2028-677-0x0000000000270000-0x0000000000302000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 436ef06279a77686860b6a932fb144a0
SHA1 59d1412030cf4e19031b6fd16335e69ac8786763
SHA256 b835d72bbb2c9860b9af239eb67c0737178b92a0c15ba71ca0c31ef4f95319a6
SHA512 1c9cb7b75561c12153ad3af680f57afeb6e17f86d19ea8ee1b6d147aef6253c0976f087fce607b844bfc4697ad8af5feeaeb03c660f9aa16b4b63f431a63a206

C:\Users\Admin\AppData\Local\Temp\ci.exe

MD5 e9bbf60a02ceb5cbb6b712c1f0d18f2b
SHA1 d632e47f4ae4d75c22871ae6bffa50bd1f740373
SHA256 7e950b8809c9c3b7fe396a0010c6ecf22a11d373f967cc070ba36bb579bd43ad
SHA512 534341f2e1f52dce2a4c8a30aa7824283e8af6cb558aa1e7b1da3e5b8d7a1b2e9668bf040ad4ed100c8a61b4b57ca9daa0a53d35242c1a4d59d5fbc60c272bb0

memory/2972-739-0x0000000001120000-0x0000000001655000-memory.dmp

memory/2028-744-0x0000000000270000-0x0000000000302000-memory.dmp

memory/1952-745-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/1952-746-0x0000000008270000-0x000000000861C000-memory.dmp

memory/1440-747-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/1312-748-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

memory/3036-764-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

memory/3036-765-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/560-770-0x0000000000AC0000-0x0000000000E6C000-memory.dmp

memory/560-769-0x0000000000AC0000-0x0000000000E6C000-memory.dmp

memory/560-772-0x0000000000AC0000-0x0000000000E6C000-memory.dmp

memory/3036-774-0x000007FEEE2D0000-0x000007FEEEC6D000-memory.dmp

memory/3036-775-0x00000000027C4000-0x00000000027C7000-memory.dmp

memory/3036-776-0x00000000027CB000-0x0000000002832000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-25 06:50

Reported

2023-09-25 06:53

Platform

win10v2004-20230915-en

Max time kernel

28s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B892.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B99C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B892.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2032 set thread context of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B99C.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 2032 N/A N/A C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2576 wrote to memory of 2032 N/A N/A C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2576 wrote to memory of 2032 N/A N/A C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2576 wrote to memory of 4160 N/A N/A C:\Users\Admin\AppData\Local\Temp\B99C.exe
PID 2576 wrote to memory of 4160 N/A N/A C:\Users\Admin\AppData\Local\Temp\B99C.exe
PID 2576 wrote to memory of 4160 N/A N/A C:\Users\Admin\AppData\Local\Temp\B99C.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe
PID 2032 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\B892.exe C:\Users\Admin\AppData\Local\Temp\B892.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe

"C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02.exe"

C:\Users\Admin\AppData\Local\Temp\B892.exe

C:\Users\Admin\AppData\Local\Temp\B892.exe

C:\Users\Admin\AppData\Local\Temp\B99C.exe

C:\Users\Admin\AppData\Local\Temp\B99C.exe

C:\Users\Admin\AppData\Local\Temp\B892.exe

C:\Users\Admin\AppData\Local\Temp\B892.exe

C:\Users\Admin\AppData\Local\Temp\BBB1.exe

C:\Users\Admin\AppData\Local\Temp\BBB1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4160 -ip 4160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 240

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fa0c72b2-6e0c-4ad7-aa62-4572f231ddde" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\B892.exe

"C:\Users\Admin\AppData\Local\Temp\B892.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Pictures\1vdMJ4VVmutN6UZMtuKWoU36.exe

"C:\Users\Admin\Pictures\1vdMJ4VVmutN6UZMtuKWoU36.exe"

C:\Users\Admin\Pictures\cHbcA9EfII9gl5ssmSsNGhyR.exe

"C:\Users\Admin\Pictures\cHbcA9EfII9gl5ssmSsNGhyR.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 8.8.8.8:53 lycheepanel.info udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 galandskiyher3.com udp
US 8.8.8.8:53 net.geo.opera.com udp
US 104.21.93.225:443 flyawayaero.net tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 188.114.97.0:80 ji.alie3ksgbb.com tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 nuevo.strattegi.com.co udp
NL 13.227.219.74:443 downloads.digitalpulsedata.com tcp
US 188.114.97.1:443 jetpackdelivery.net tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 8.8.8.8:53 wasasoftcom.info udp
US 107.180.58.67:443 nuevo.strattegi.com.co tcp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
RU 77.246.100.5:80 wasasoftcom.info tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.0:443 justsafepay.com tcp
NL 194.169.175.127:80 galandskiyher3.com tcp
US 8.8.8.8:53 d241.userscloud.net udp
DE 168.119.1.241:443 d241.userscloud.net tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 122.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 1.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 74.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 5.19.236.87.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 5.100.246.77.in-addr.arpa udp
US 8.8.8.8:53 67.58.180.107.in-addr.arpa udp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 241.1.119.168.in-addr.arpa udp
US 8.8.8.8:53 17.108.192.104.in-addr.arpa udp
PL 146.59.10.173:45035 tcp

Files

memory/1724-1-0x00000000025B0000-0x00000000026B0000-memory.dmp

memory/1724-2-0x0000000000400000-0x000000000259F000-memory.dmp

memory/1724-3-0x0000000002720000-0x0000000002729000-memory.dmp

memory/2576-4-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

memory/1724-5-0x0000000000400000-0x000000000259F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B892.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

C:\Users\Admin\AppData\Local\Temp\B892.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

C:\Users\Admin\AppData\Local\Temp\B99C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

C:\Users\Admin\AppData\Local\Temp\B99C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/2032-20-0x0000000002880000-0x0000000002914000-memory.dmp

memory/2032-21-0x0000000004330000-0x000000000444B000-memory.dmp

memory/3884-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3884-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B892.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

memory/3884-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBB1.exe

MD5 3240f8928a130bb155571570c563200a
SHA1 aa621ddde551f7e0dbeed157ab1eac3f1906f493
SHA256 a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42
SHA512 e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b

memory/3884-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBB1.exe

MD5 3240f8928a130bb155571570c563200a
SHA1 aa621ddde551f7e0dbeed157ab1eac3f1906f493
SHA256 a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42
SHA512 e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b

memory/3792-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3792-32-0x0000000073B60000-0x0000000074310000-memory.dmp

memory/3792-34-0x0000000005120000-0x0000000005130000-memory.dmp

memory/2120-33-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2120-36-0x0000000073B60000-0x0000000074310000-memory.dmp

memory/2120-35-0x00000000026F0000-0x00000000026F6000-memory.dmp

C:\Users\Admin\AppData\Local\fa0c72b2-6e0c-4ad7-aa62-4572f231ddde\B892.exe

MD5 d1720162dd86f22f6779f9b3494d9c26
SHA1 fc1c7735355ec627796e85bf7c181aa7dd14091e
SHA256 828186e86db3578c3d79c7ccbdce3a9702054522d5025b1bd4bb55231cc9de32
SHA512 7d3dc7213eeab249b13afa7660dd3d8f1382b96c2f2b8c223aa4a632242542c32b995bb35fcdf20cf84fdcdfe7ce45da0728d6dad84cb38b89c8b54e90cf66b9

memory/2120-45-0x0000000005430000-0x0000000005A48000-memory.dmp

memory/2120-46-0x0000000004F20000-0x000000000502A000-memory.dmp

memory/2120-47-0x0000000004E30000-0x0000000004E42000-memory.dmp

memory/2120-48-0x0000000002710000-0x0000000002720000-memory.dmp

memory/2120-49-0x0000000004E90000-0x0000000004ECC000-memory.dmp

memory/3884-61-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B892.exe

MD5 fb5b787cd48ea92d9ae7feaedb157331
SHA1 f8410c2fae415e3c63ef223cdd8a9138976197de
SHA256 07a7b9833123778ddf44d041d3f5f5c7a96f011112892866ebb7da7b58f9f9ee
SHA512 c48d6c4ba3500d164e5f8ad3afdbe64bd2e30d9bc98855f6e3fbfefa42464f0c3e228b8a971f1f25bb327e52df1d1c05b1990507c88f2dffa287a4e3033b8bab

C:\Users\Admin\Pictures\hJbS1dFNOHsXe4jJkUw9TblI.exe

MD5 06f19a070cdd2f5ee676314cb9e58af6
SHA1 1bbc3aefad9ffa97e3fdeba410b1a9e3ee2f35d7
SHA256 1d07083837c52fdf471e8cc31f8e2b0ced77034e8011bfb4c664f2470ce2ab27
SHA512 71bea523e8755179e2ec016ec895385c45262ebd9f1487611eb15abe6600231ca649fd04fd7709b326d6ae116292200f0f3ebd7eeeb10be5d9ad7fb52d9accdd