Malware Analysis Report

2025-01-02 09:17

Sample ID 231004-lr7snacf39
Target sample2.exe
SHA256 e5b84c2a8be1ba64822a131eebf088a0f05befe529f21b5f490da9d72c36f63d
Tags
amadey djvu fabookie smokeloader vidar b4fc4cd2d76417bf461814b9d989fcdb backdoor discovery persistence ransomware spyware stealer trojan redline logsdiller cloud (tg: @logsdillabot) infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5b84c2a8be1ba64822a131eebf088a0f05befe529f21b5f490da9d72c36f63d

Threat Level: Known bad

The file sample2.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie smokeloader vidar b4fc4cd2d76417bf461814b9d989fcdb backdoor discovery persistence ransomware spyware stealer trojan redline logsdiller cloud (tg: @logsdillabot) infostealer

Djvu Ransomware

Fabookie

Amadey

Detected Djvu ransomware

SmokeLoader

RedLine

Detect Fabookie payload

Vidar

RedLine payload

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 09:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 09:47

Reported

2023-10-04 09:49

Platform

win7-20230831-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sample2.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1e3cdbdf-bb31-4d59-96a6-0fd0d90ea7ca\\A296.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A296.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\A296.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\A296.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\B5AB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\A296.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\A296.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\A296.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\A296.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\B5AB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 1204 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 1204 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 1204 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 2668 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\A296.exe C:\Users\Admin\AppData\Local\Temp\A296.exe
PID 1204 wrote to memory of 2444 N/A N/A C:\Users\Admin\AppData\Local\Temp\B359.exe
PID 1204 wrote to memory of 2444 N/A N/A C:\Users\Admin\AppData\Local\Temp\B359.exe
PID 1204 wrote to memory of 2444 N/A N/A C:\Users\Admin\AppData\Local\Temp\B359.exe
PID 1204 wrote to memory of 2444 N/A N/A C:\Users\Admin\AppData\Local\Temp\B359.exe
PID 2444 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\B359.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2444 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\B359.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2444 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\B359.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2444 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\B359.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2960 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2652 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2652 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2652 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1204 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1204 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1204 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1204 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 1796 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\B5AB.exe C:\Users\Admin\AppData\Local\Temp\B5AB.exe
PID 2652 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2652 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2652 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2652 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1204 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB66.exe
PID 1204 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB66.exe
PID 1204 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB66.exe
PID 1204 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB66.exe
PID 2652 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\sample2.exe

"C:\Users\Admin\AppData\Local\Temp\sample2.exe"

C:\Users\Admin\AppData\Local\Temp\A296.exe

C:\Users\Admin\AppData\Local\Temp\A296.exe

C:\Users\Admin\AppData\Local\Temp\A296.exe

C:\Users\Admin\AppData\Local\Temp\A296.exe

C:\Users\Admin\AppData\Local\Temp\B359.exe

C:\Users\Admin\AppData\Local\Temp\B359.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\BB66.exe

C:\Users\Admin\AppData\Local\Temp\BB66.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1e3cdbdf-bb31-4d59-96a6-0fd0d90ea7ca" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

"C:\Users\Admin\AppData\Local\Temp\B5AB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

"C:\Users\Admin\AppData\Local\Temp\B5AB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A296.exe

"C:\Users\Admin\AppData\Local\Temp\A296.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A296.exe

"C:\Users\Admin\AppData\Local\Temp\A296.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe

"C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DFA80A7A-289D-41F1-8C6F-EC4EBBD9850F} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build3.exe

"C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe

"C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe"

C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe

"C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe"

C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build3.exe

"C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe

"C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.218.244:443 api.2ip.ua tcp
NL 162.0.218.244:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 oki.iellssfjjff.com udp
US 172.67.167.148:80 oki.iellssfjjff.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 95.214.27.254:80 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
NL 162.0.218.244:443 api.2ip.ua tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
US 8.8.8.8:53 colisumy.com udp
MX 201.124.243.137:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 211.59.14.90:80 zexeq.com tcp
KR 211.59.14.90:80 zexeq.com tcp
NL 162.0.218.244:443 api.2ip.ua tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 colisumy.com udp
BG 95.158.162.200:80 colisumy.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 95.214.27.254:80 tcp
DE 116.203.7.13:80 116.203.7.13 tcp
KR 211.59.14.90:80 colisumy.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 95.214.27.254:80 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 116.203.7.13:80 116.203.7.13 tcp
US 95.214.27.254:80 tcp

Files

memory/1632-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/1632-3-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/1632-2-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/1204-4-0x00000000029E0000-0x00000000029F6000-memory.dmp

memory/1632-5-0x0000000000400000-0x0000000002BAD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

C:\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

memory/2668-17-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

memory/2668-18-0x00000000024C0000-0x00000000025DB000-memory.dmp

memory/2628-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2628-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2668-26-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

memory/2628-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2628-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B359.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\B359.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\CabB4D0.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/1796-67-0x0000000000360000-0x00000000003F1000-memory.dmp

memory/1796-72-0x0000000000360000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarBDC8.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1796-75-0x0000000003BC0000-0x0000000003CDB000-memory.dmp

memory/1820-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/1820-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1796-91-0x0000000000360000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

C:\Users\Admin\AppData\Local\Temp\BB66.exe

MD5 7aa2d4005c0688fbb8c3ff8f1ad2f898
SHA1 789b429372d9eec386382a1893efb56a52890d5d
SHA256 940fcb61134684d28efa774fecdd1c6ccd179e38c1e060ea04c8270ee18a16a0
SHA512 4dd6ce4903a33ab1a8fc4a2a8e3467833b1ad60573e0ce0da250526c96f06180b52b4147e1f155c8833c082f49af04e25fff7e1f6bdea73f24ea6a118ae6e18f

memory/1820-96-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1820-95-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 91a2dd953cb6f8edfa3c5a3b7c680f68
SHA1 45fabdf01269f6ff34cee0a3304d97e8dbb74486
SHA256 9806b25d68e91516099c89be4870be1aadc6be2de5611dc24e426026ebf5ffbd
SHA512 f1555dc73fe7e5a137385fbb158c587651345f2cb8c28ff11590fe65accdb8cf753b775e804f3f33d30e4c3cd94331356715f63b7856ad567ac98bec639f0bda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a485edb0374c2034d00711184f0e9b7
SHA1 89e12e3a0022cd4f42ba651621d53cbf439631e8
SHA256 074ac3080712fd6199f9018d27e1ce8333e01707bb0ee8a6c83d52c784cf8b08
SHA512 c9e9d979c94f2fe0d266744e3f8c7186ff88330ae8bfdc6f58d2e02f84dc26cab4340d10aaf9fc2963221beb98b02ed5925f18c92ca2660e91c0cd01195ffd06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 47971d246e035ee38bfd1d9854fc1129
SHA1 22998ff479318065fd6e121ec181592d9f0c824e
SHA256 e926bac76af599422c9f0c9e0a82af8d4a79bcef45effdbef73e5811f64007f8
SHA512 7215ee471c23777b34270ef6a08639e331e1e7efd5ebebe3b76e0eb5e37401cdf1befbcf47349f2b2a966b731cea973a87c7ac16692907f71a8330501da8f81c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 5b567e1e73ef6c65b85da5bfd981c883
SHA1 27c12e2414fd6435945c47c1236052b731029d1e
SHA256 8a646c390057e663354198a6bfd79412abd33ca2f74101e06747e3b9ffc11b9b
SHA512 d4a7e7376dfeea7698f598c775ed89317f7d228549da319453f785708cc8ca63cd87bf6c1b1029c2a4b7aafc3e04f48734ba3e5d0b167646fcd13af05d451570

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 15c672a422c7446afc1c7e23f938e865
SHA1 862215ae140c1bc5efa6f4674827fb51ce21b453
SHA256 c19556e682a36391a6bb32bbd368e759cd5150846753a1159d638a7406d4778a
SHA512 cb3f63499a5e611a151a6591baad4a1dd833be95852b4fdca6004310454691c7d8a70aef2b6b766b15aea7efc2bba469ba5a6e4234f27fdfa4ba7f7b07a85594

C:\Users\Admin\AppData\Local\1e3cdbdf-bb31-4d59-96a6-0fd0d90ea7ca\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

C:\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe

MD5 baa515de25ca285d5398de19f1193ec4
SHA1 27e717122bdabae87ff1496b527e9f6880d1e369
SHA256 d90d6cebf66957466dadc5dd6dc904bfba0fbd48b716c63e41e05f4904ff66b2
SHA512 dbd9846710ed81e36474b3fa67ab8023b121f3a03fc2a5d7da1dd354dff5dc6d589eabb6a99558b6e88b57f4cc7f56b5cbf07a166abb85b09d7b08e34a6e6891

\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe

MD5 baa515de25ca285d5398de19f1193ec4
SHA1 27e717122bdabae87ff1496b527e9f6880d1e369
SHA256 d90d6cebf66957466dadc5dd6dc904bfba0fbd48b716c63e41e05f4904ff66b2
SHA512 dbd9846710ed81e36474b3fa67ab8023b121f3a03fc2a5d7da1dd354dff5dc6d589eabb6a99558b6e88b57f4cc7f56b5cbf07a166abb85b09d7b08e34a6e6891

\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe

MD5 baa515de25ca285d5398de19f1193ec4
SHA1 27e717122bdabae87ff1496b527e9f6880d1e369
SHA256 d90d6cebf66957466dadc5dd6dc904bfba0fbd48b716c63e41e05f4904ff66b2
SHA512 dbd9846710ed81e36474b3fa67ab8023b121f3a03fc2a5d7da1dd354dff5dc6d589eabb6a99558b6e88b57f4cc7f56b5cbf07a166abb85b09d7b08e34a6e6891

C:\Users\Admin\AppData\Local\Temp\1000095001\aafg31.exe

MD5 baa515de25ca285d5398de19f1193ec4
SHA1 27e717122bdabae87ff1496b527e9f6880d1e369
SHA256 d90d6cebf66957466dadc5dd6dc904bfba0fbd48b716c63e41e05f4904ff66b2
SHA512 dbd9846710ed81e36474b3fa67ab8023b121f3a03fc2a5d7da1dd354dff5dc6d589eabb6a99558b6e88b57f4cc7f56b5cbf07a166abb85b09d7b08e34a6e6891

memory/2268-124-0x00000000FF520000-0x00000000FF58A000-memory.dmp

\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/2664-126-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/2628-129-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1820-128-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2348-133-0x0000000000220000-0x00000000002B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/2628-144-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

memory/2348-140-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5AB.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/1756-148-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

C:\Users\Admin\AppData\Local\Temp\A296.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

memory/1756-181-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

memory/876-195-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

memory/1756-182-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1756-196-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a119fc3259fa85f7d2755b53a189c646
SHA1 4f38c45bbd34fc31552aba4a5725b357dc12890d
SHA256 25db2eb68aed7db7fce85449526133fb49339ab25e6d2c093e1699e0eba22fa9
SHA512 19fa1bdf6edda747b90d84d5cea4e1ad9874738533b22ae639538519f37d4bf978a49147baadbdf5cb32a65057e9af0f875da9daef29be0e631b28bc0cbc4a4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12335bde6dcbb2f62f7df3e61bea7064
SHA1 2a4187f30636c26edf2e46a78700b7651f756a0d
SHA256 65d8a59dc6a7f900483a57ef58fe3e0c74cdb64eaea31989693cd02615ccc2a4
SHA512 36c8975dd971017a27b2ccdc090fe53ef9a9aff434f20761cb2e3252826cf8f17a86b5a7d31698a494094acbd7dedb9fc16d1b9ce0d9e6e0849dcaba4fc4c338

memory/1756-228-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1756-245-0x0000000000400000-0x0000000000537000-memory.dmp

memory/876-246-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1756-230-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1756-270-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1756-269-0x0000000000400000-0x0000000000537000-memory.dmp

memory/876-293-0x0000000000400000-0x0000000000537000-memory.dmp

memory/876-294-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

C:\SystemID\PersonalID.txt

MD5 3025183ef640bccf750101be73f44158
SHA1 df46eb5e39cf1b5ceb819cc9e37a5f98d636d2fa
SHA256 4c2deec565c8539f636748d925eba0ae56645de9a3ebdf2f070d2c2f5cd4c2e1
SHA512 fe1ea34a9534ed8e65769ea13957545118d5c82a7e3762a2ee7dd18cc08de21c88b4644116dd63ae8f83380d05ef748c60a66c46041f1963fd3bf33aed9a9ab1

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 038c06e13891080a9eef1a9d25752910
SHA1 11bd55c01c66a5774f75dd991617cd1a18f713f8
SHA256 ba6ab5c42e3794841c608ed7e2f1aa27630a890242987283b032ba451a0ae9ed
SHA512 f98bd8ef5cdcb1f9aa267ff8aa978021719c16c3d95e59ab1866a641a7a76a09832596ca91afeb329c9284540877d20a08e921c3c19bfc77248c05ce6bcd6d98

memory/876-296-0x0000000000400000-0x0000000000537000-memory.dmp

memory/876-310-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1756-311-0x0000000000400000-0x0000000000537000-memory.dmp

memory/876-312-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 cb938d9e6191d4cbb460613df9d2aaa5
SHA1 bb28752f67fe02b78cb7b90e1c644bea1f146b47
SHA256 a623935d4ee1ebaf2ee8586c6d4083eb8f2e65f4e74a18447e46025582a1d580
SHA512 aa6f6dde75f9b751c7023aa3e4d0afcef252f2450c9943399fa77eb54c79445d0bd93b9c2220a50fe359f0a108b5a6fd89e2001ad0b2f38188f1a2a8865ca608

memory/1584-320-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/1584-322-0x00000000024C0000-0x0000000002511000-memory.dmp

memory/3028-321-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3028-325-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\fb15d81f-7635-439a-a0f2-c16679a5f1b1\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

memory/3028-329-0x0000000000400000-0x0000000000465000-memory.dmp

memory/876-318-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 cb938d9e6191d4cbb460613df9d2aaa5
SHA1 bb28752f67fe02b78cb7b90e1c644bea1f146b47
SHA256 a623935d4ee1ebaf2ee8586c6d4083eb8f2e65f4e74a18447e46025582a1d580
SHA512 aa6f6dde75f9b751c7023aa3e4d0afcef252f2450c9943399fa77eb54c79445d0bd93b9c2220a50fe359f0a108b5a6fd89e2001ad0b2f38188f1a2a8865ca608

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82fc103a29e7fbec6cc5d58df4a8b1d8
SHA1 681f2ebc06539351bce1756890081ea982ba028c
SHA256 f28b149571589a7f7f8cd7bc3e67e2cd17d49658280c17690399acdf60c28f80
SHA512 ff1d08b8311ee017ac783ff3be7b1846f51736e51309c6aa264d9925b92efdf982f84f983fde5b20b5ef18b7d961a54d71ed40ba8604a0cb1d004f21f925736e

C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

memory/3028-408-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2268-417-0x0000000003360000-0x0000000003491000-memory.dmp

memory/2268-414-0x0000000003160000-0x00000000032D1000-memory.dmp

\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/280-455-0x00000000002F0000-0x00000000003F0000-memory.dmp

C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

C:\Users\Admin\AppData\Local\f4e6b5c4-2a6b-4978-951d-29f969aad356\build2.exe

MD5 4af351cad48ae0a8310396db36088d01
SHA1 587e5cce7a25de94acd440925981f27c4b052113
SHA256 e81cf314b9336ae58e0ed051467245f4eea056c30bd54429d740aad521813092
SHA512 73b347494835d2fbb378f87c4d1f81b71801e14d598377e288af08f37415f85dc212d71128e85111131938c62f49c6eb3fb7c74ba9f6927025cbbd5da799a982

memory/1584-462-0x00000000024C0000-0x0000000002511000-memory.dmp

memory/2180-463-0x0000000000400000-0x0000000000465000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/3028-467-0x0000000000400000-0x0000000000465000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2268-472-0x0000000003360000-0x0000000003491000-memory.dmp

C:\ProgramData\51515512425539645380516796

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/3028-487-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 1a21ee98bba0446c1ca2bfb1d34bdaed
SHA1 ca2970eab28dea4822cb618609fea52d2041b1b7
SHA256 3110b778306378929d593def29e698c5944facc0becf114bf263c78d3dd3b178
SHA512 95731717c2c895e6d08fc1dfcf97265c0f3b11f8cd8e108ba1c365e380ebb10c89680039c37d9287f67e29f2682c4869825e6ba84fe8292951f211e8bcf04ab5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 339d15dc6cd7e7f50862b65f6011d6c9
SHA1 1c707c41d4cab19ed94896fc141a3bf46575a984
SHA256 5b56b8d51d0f3bfaa0b96ffdff6e35aac1682a431134f817e5026d9faa0cb570
SHA512 5dc22537d8bccfaed56a5b7c4f0fc438d1838166ecb021cf496beef1a9787e08009b1ccb9b3b5f2daf0f0033e5bb7c0739985def8d5053facfc71531078d3af5

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2180-541-0x0000000000400000-0x0000000000465000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 09:47

Reported

2023-10-04 09:49

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sample2.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EB5C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ED03.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fe06cfe9-5696-4d0f-8817-c1f9967222de\\ED03.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ED03.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\Temp\E407.exe
PID 3168 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\Temp\E407.exe
PID 3168 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\Temp\E407.exe
PID 3168 wrote to memory of 1256 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7E0.exe
PID 3168 wrote to memory of 1256 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7E0.exe
PID 3168 wrote to memory of 1256 N/A N/A C:\Users\Admin\AppData\Local\Temp\E7E0.exe
PID 3168 wrote to memory of 1348 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB5C.exe
PID 3168 wrote to memory of 1348 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB5C.exe
PID 3168 wrote to memory of 1348 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB5C.exe
PID 3168 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 3168 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 3168 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 3168 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe
PID 3168 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe
PID 3168 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe
PID 1348 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\EB5C.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1348 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\EB5C.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1348 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\EB5C.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 4564 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe
PID 3164 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3164 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3164 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3164 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3696 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3696 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3696 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3696 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3696 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3696 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3696 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3696 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\EEAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Windows\SysWOW64\icacls.exe
PID 4832 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Windows\SysWOW64\icacls.exe
PID 4832 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Windows\SysWOW64\icacls.exe
PID 3900 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4832 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\ED03.exe C:\Users\Admin\AppData\Local\Temp\ED03.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\sample2.exe

"C:\Users\Admin\AppData\Local\Temp\sample2.exe"

C:\Users\Admin\AppData\Local\Temp\E407.exe

C:\Users\Admin\AppData\Local\Temp\E407.exe

C:\Users\Admin\AppData\Local\Temp\E7E0.exe

C:\Users\Admin\AppData\Local\Temp\E7E0.exe

C:\Users\Admin\AppData\Local\Temp\EB5C.exe

C:\Users\Admin\AppData\Local\Temp\EB5C.exe

C:\Users\Admin\AppData\Local\Temp\ED03.exe

C:\Users\Admin\AppData\Local\Temp\ED03.exe

C:\Users\Admin\AppData\Local\Temp\EEAA.exe

C:\Users\Admin\AppData\Local\Temp\EEAA.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\ED03.exe

C:\Users\Admin\AppData\Local\Temp\ED03.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3696 -ip 3696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 148

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fe06cfe9-5696-4d0f-8817-c1f9967222de" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\ED03.exe

"C:\Users\Admin\AppData\Local\Temp\ED03.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ED03.exe

"C:\Users\Admin\AppData\Local\Temp\ED03.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1872 -ip 1872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 568

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.218.244:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 132.152.255.51.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/208-1-0x0000000002E10000-0x0000000002F10000-memory.dmp

memory/208-2-0x0000000002D50000-0x0000000002D59000-memory.dmp

memory/208-3-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/3168-4-0x0000000002F70000-0x0000000002F86000-memory.dmp

memory/208-5-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/208-8-0x0000000002D50000-0x0000000002D59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E407.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

C:\Users\Admin\AppData\Local\Temp\E407.exe

MD5 8f4c3da1585a072e6502ac568601601b
SHA1 35b0ed8212cee181bf43686b4e5425e2c7d0ffc5
SHA256 1b13cd2633c86e3aa4b216534b7e516a55f89945270a5485ca7cc9411dd5728d
SHA512 aecef7bea0e43c616862e0544b1fcfcb594b1e28b5615d4387d9cca0ad00cb1e52b9c7dea0cf652594cbbf1d9210ebf9af78427cab56cf321c3d7a67174bc36a

C:\Users\Admin\AppData\Local\Temp\E7E0.exe

MD5 223a38f4f12c2db31b79832a8bb73d3c
SHA1 f530e8f56f8322820a14193b1579705675fbc61a
SHA256 a716a3b57ad6a0038e69305eaeed5842c31e5a3aa496d1ac1a0af944319cc25a
SHA512 72c35e5ce3c44d3a6002ea86ed3e90c955609161454095ac4ba530891382dc155d478690f257f92af73c45912fb147b924a0a7393ed5618f11708bbc02984049

C:\Users\Admin\AppData\Local\Temp\E7E0.exe

MD5 223a38f4f12c2db31b79832a8bb73d3c
SHA1 f530e8f56f8322820a14193b1579705675fbc61a
SHA256 a716a3b57ad6a0038e69305eaeed5842c31e5a3aa496d1ac1a0af944319cc25a
SHA512 72c35e5ce3c44d3a6002ea86ed3e90c955609161454095ac4ba530891382dc155d478690f257f92af73c45912fb147b924a0a7393ed5618f11708bbc02984049

C:\Users\Admin\AppData\Local\Temp\EB5C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\EB5C.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\ED03.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

C:\Users\Admin\AppData\Local\Temp\ED03.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\EEAA.exe

MD5 7aa2d4005c0688fbb8c3ff8f1ad2f898
SHA1 789b429372d9eec386382a1893efb56a52890d5d
SHA256 940fcb61134684d28efa774fecdd1c6ccd179e38c1e060ea04c8270ee18a16a0
SHA512 4dd6ce4903a33ab1a8fc4a2a8e3467833b1ad60573e0ce0da250526c96f06180b52b4147e1f155c8833c082f49af04e25fff7e1f6bdea73f24ea6a118ae6e18f

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4564-42-0x0000000002370000-0x000000000240B000-memory.dmp

memory/4564-43-0x0000000004080000-0x000000000419B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4832-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED03.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/4832-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4832-48-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEAA.exe

MD5 7aa2d4005c0688fbb8c3ff8f1ad2f898
SHA1 789b429372d9eec386382a1893efb56a52890d5d
SHA256 940fcb61134684d28efa774fecdd1c6ccd179e38c1e060ea04c8270ee18a16a0
SHA512 4dd6ce4903a33ab1a8fc4a2a8e3467833b1ad60573e0ce0da250526c96f06180b52b4147e1f155c8833c082f49af04e25fff7e1f6bdea73f24ea6a118ae6e18f

memory/4832-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1432-54-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1432-57-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/1432-60-0x0000000008300000-0x00000000088A4000-memory.dmp

memory/1432-61-0x0000000007DF0000-0x0000000007E82000-memory.dmp

memory/1432-62-0x0000000008040000-0x0000000008050000-memory.dmp

memory/1432-63-0x0000000007DD0000-0x0000000007DDA000-memory.dmp

C:\Users\Admin\AppData\Local\fe06cfe9-5696-4d0f-8817-c1f9967222de\ED03.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/1432-65-0x0000000008ED0000-0x00000000094E8000-memory.dmp

memory/1432-66-0x00000000088B0000-0x00000000089BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED03.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/4832-67-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1432-69-0x0000000008050000-0x0000000008062000-memory.dmp

memory/1432-71-0x00000000080B0000-0x00000000080EC000-memory.dmp

memory/1432-73-0x00000000080F0000-0x000000000813C000-memory.dmp

memory/3656-74-0x0000000003E30000-0x0000000003EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED03.exe

MD5 57d66bc14d0dc3903ede210e01d6baac
SHA1 46f64ca57ab62628ee054e6a9b7e5c8d986b94ab
SHA256 1d7afdd7f0376b99dd5034c795292de369d900bb5820a73b7cb95fe8d1a3aad0
SHA512 42028b9e1e467df7b193c37015b481c7132c1320c18b488e9f5df3129163b1bab8c65e20de9ab6bde5332a14b17197b991c4e21762666483e72c1801059ed6fc

memory/1872-77-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1872-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1872-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1432-83-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/1432-84-0x00000000089C0000-0x0000000008A26000-memory.dmp

memory/1432-85-0x0000000008040000-0x0000000008050000-memory.dmp

memory/1432-86-0x0000000009780000-0x00000000097D0000-memory.dmp

memory/1432-87-0x000000000A7B0000-0x000000000A972000-memory.dmp

memory/1432-88-0x000000000AEB0000-0x000000000B3DC000-memory.dmp

memory/1432-90-0x0000000072B20000-0x00000000732D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4