Analysis Overview
SHA256
dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93
Threat Level: Known bad
The file dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Process spawned unexpected child process
Raccoon
NetSupport
SmokeLoader
RedLine Payload
RedLine
Vidar Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Downloads MZ/PE file
Reads user/profile data of web browsers
Deletes itself
Checks BIOS information in registry
Identifies Wine through registry keys
Drops startup file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-13 08:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-13 08:21
Reported
2021-11-13 08:23
Platform
win10-en-20211014
Max time kernel
151s
Max time network
150s
Command Line
Signatures
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Raccoon
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3888 created 596 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\C371.exe |
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2B91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30D2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3B33.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2B91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3B33.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5E6C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\669B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5E6C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C371.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C5E3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C5E3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\KBDRO\WerFault.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\KBDRO\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\SysWOW64\KBDRO\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunings.ini.lnk | C:\Users\Admin\AppData\Local\Temp\669B.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Wine | C:\Windows\SysWOW64\KBDRO\WerFault.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C5E3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C5E3.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\netprofm\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\SchCache\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140\\OfficeClickToRun.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WerFault = "\"C:\\Windows\\SysWOW64\\MSFlacDecoder\\WerFault.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\usk\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\iedkcs32\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WerFault = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\WerFault.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SAPITask\\SearchUI.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\client32 = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\client32.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WerFault = "\"C:\\Windows\\SysWOW64\\KBDRO\\WerFault.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\msoeacct\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Users\\Default User\\ShellExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5E6C = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jusched\\5E6C.exe\"" | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\KBDRO\ee201eac4591f0b16735de891f3d31be299085b8 | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\usk\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\usk\5b884080fd4f94e2695da25c503f9e33b9605b83 | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\netprofm\WmiPrvSE.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\netprofm\WmiPrvSE.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\iedkcs32\cc11b995f2a76da408ea6a601e682e64743153ad | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\MSFlacDecoder\ee201eac4591f0b16735de891f3d31be299085b8 | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\KBDRO\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\netprofm\24dbde2999530ef5fd907494bc374d663924116c | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\msoeacct\backgroundTaskHost.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\msoeacct\eddb19405b7ce1152b3e19997f2b467f0b72b3d3 | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\iedkcs32\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SysWOW64\MSFlacDecoder\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\KBDRO\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3148 set thread context of 368 | N/A | C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe | C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe |
| PID 672 set thread context of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\26ED.exe | C:\Users\Admin\AppData\Local\Temp\26ED.exe |
| PID 3440 set thread context of 1560 | N/A | C:\Users\Admin\AppData\Local\Temp\2B91.exe | C:\Users\Admin\AppData\Local\Temp\2B91.exe |
| PID 668 set thread context of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\3B33.exe | C:\Users\Admin\AppData\Local\Temp\3B33.exe |
| PID 1244 set thread context of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\5E6C.exe | C:\Users\Admin\AppData\Local\Temp\5E6C.exe |
| PID 1168 set thread context of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\C5E3.exe | C:\Users\Admin\AppData\Local\Temp\C5E3.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Java\Java Update\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Java\Java Update\ee201eac4591f0b16735de891f3d31be299085b8 | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140\e6c9b481da804f07baff8eff543b0a1441069b5d | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\client32.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\9ee9c94cd2b73ef3e7adb9a6f54e9f72db153dc5 | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\e6c9b481da804f07baff8eff543b0a1441069b5d | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SAPITask\SearchUI.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SAPITask\dab4d89cac03ec27dbe47b361df763dc3f848f6c | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SchCache\explorer.exe | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| File created | C:\Windows\SchCache\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\C371.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\C5E3.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\30D2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\30D2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\30D2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30D2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2B91.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C5E3.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CF0C.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\KBDRO\WerFault.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinSup\client32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe
"C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe"
C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe
"C:\Users\Admin\AppData\Local\Temp\dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93.exe"
C:\Users\Admin\AppData\Local\Temp\26ED.exe
C:\Users\Admin\AppData\Local\Temp\26ED.exe
C:\Users\Admin\AppData\Local\Temp\2B91.exe
C:\Users\Admin\AppData\Local\Temp\2B91.exe
C:\Users\Admin\AppData\Local\Temp\30D2.exe
C:\Users\Admin\AppData\Local\Temp\30D2.exe
C:\Users\Admin\AppData\Local\Temp\2B91.exe
C:\Users\Admin\AppData\Local\Temp\2B91.exe
C:\Users\Admin\AppData\Local\Temp\3B33.exe
C:\Users\Admin\AppData\Local\Temp\3B33.exe
C:\Users\Admin\AppData\Local\Temp\26ED.exe
C:\Users\Admin\AppData\Local\Temp\26ED.exe
C:\Users\Admin\AppData\Local\Temp\3B33.exe
C:\Users\Admin\AppData\Local\Temp\3B33.exe
C:\Users\Admin\AppData\Local\Temp\5E6C.exe
C:\Users\Admin\AppData\Local\Temp\5E6C.exe
C:\Users\Admin\AppData\Local\Temp\669B.exe
C:\Users\Admin\AppData\Local\Temp\669B.exe
C:\Users\Admin\AppData\Roaming\WinSup\client32.exe
"C:\Users\Admin\AppData\Roaming\WinSup\client32.exe"
C:\Users\Admin\AppData\Local\Temp\5E6C.exe
C:\Users\Admin\AppData\Local\Temp\5E6C.exe
C:\Users\Admin\AppData\Local\Temp\C371.exe
C:\Users\Admin\AppData\Local\Temp\C371.exe
C:\Users\Admin\AppData\Local\Temp\C5E3.exe
C:\Users\Admin\AppData\Local\Temp\C5E3.exe
C:\Users\Admin\AppData\Local\Temp\CF0C.exe
C:\Users\Admin\AppData\Local\Temp\CF0C.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 872
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\netprofm\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SchCache\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\WerFault.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SAPITask\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jNj7PCNNh7.bat"
C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\C5E3.exe
C:\Users\Admin\AppData\Local\Temp\C5E3.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1624
C:\Users\Admin\AppData\Local\Temp\CF0C.exe
"C:\Users\Admin\AppData\Local\Temp\CF0C.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "client32" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\client32.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\msoeacct\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\iedkcs32\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5E6C" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\jusched\5E6C.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\MSFlacDecoder\WerFault.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\KBDRO\WerFault.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\usk\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\KBDRO\WerFault.exe
"C:\Windows\SysWOW64\KBDRO\WerFault.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.19:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | sv.symcb.com | udp |
| US | 93.184.220.29:80 | sv.symcb.com | tcp |
| US | 8.8.8.8:53 | ts-crl.ws.symantec.com | udp |
| US | 72.21.91.29:80 | ts-crl.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | nalirou70.top | udp |
| RU | 178.218.220.198:80 | nalirou70.top | tcp |
| RU | 178.218.220.198:80 | nalirou70.top | tcp |
| US | 8.8.8.8:53 | privacytoolzforyou-7000.top | udp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| RU | 178.218.220.198:80 | privacytoolzforyou-7000.top | tcp |
| US | 8.8.8.8:53 | file-host-host6.com | udp |
| RU | 178.218.220.198:80 | file-host-host6.com | tcp |
| RU | 178.218.220.198:80 | file-host-host6.com | tcp |
| RU | 178.218.220.198:80 | file-host-host6.com | tcp |
| RU | 178.218.220.198:80 | file-host-host6.com | tcp |
| US | 8.8.8.8:53 | hajezey10.top | udp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| NL | 185.159.80.90:38637 | tcp | |
| SC | 185.215.113.29:36224 | tcp | |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| US | 8.8.8.8:53 | myfreesoft-usa.fun | udp |
| RU | 31.31.196.31:80 | myfreesoft-usa.fun | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| LV | 45.87.154.2:80 | tcp | |
| US | 8.8.8.8:53 | zubesta1.com | udp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 195.171.92.116:80 | geo.netsupportsoftware.com | tcp |
| US | 173.234.155.82:2909 | zubesta1.com | tcp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | srtuiyhuali.at | udp |
| US | 8.8.8.8:53 | fufuiloirtu.com | udp |
| US | 8.8.8.8:53 | amogohuigotuli.at | udp |
| US | 8.8.8.8:53 | novohudosovu.com | udp |
| US | 8.8.8.8:53 | brutuilionust.com | udp |
| US | 8.8.8.8:53 | bubushkalioua.com | udp |
| US | 8.8.8.8:53 | dumuilistrati.at | udp |
| US | 8.8.8.8:53 | verboliatsiaeeees.com | udp |
| US | 8.8.8.8:53 | telegin.top | udp |
| US | 8.8.8.8:53 | telegin.top | udp |
| SC | 185.215.113.29:36224 | tcp | |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| US | 8.8.8.8:53 | anonfiles.com | udp |
| SE | 45.154.253.151:443 | anonfiles.com | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| US | 8.8.8.8:53 | ttmirror.top | udp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 95.181.152.184:666 | 95.181.152.184 | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| RU | 178.218.220.198:80 | hajezey10.top | tcp |
| US | 8.8.8.8:53 | ttmirror.top | udp |
| HU | 91.219.236.27:80 | 91.219.236.27 | tcp |
| HU | 91.219.236.143:80 | 91.219.236.143 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.80.148:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | ttmirror.top | udp |
| US | 8.8.8.8:53 | mastodon.online | udp |
| FI | 95.216.4.252:443 | mastodon.online | tcp |
| DE | 65.108.80.190:80 | 65.108.80.190 | tcp |
| US | 8.8.8.8:53 | teletele.top | udp |
| US | 8.8.8.8:53 | teletele.top | udp |
| SC | 185.215.113.29:36224 | tcp | |
| US | 8.8.8.8:53 | teletele.top | udp |
| RU | 82.146.43.67:80 | 82.146.43.67 | tcp |
| US | 8.8.8.8:53 | telegalive.top | udp |
| US | 8.8.8.8:53 | telegalive.top | udp |
| US | 8.8.8.8:53 | telegalive.top | udp |
| US | 8.8.8.8:53 | toptelete.top | udp |
| SC | 185.215.113.29:36224 | tcp | |
| US | 8.8.8.8:53 | toptelete.top | udp |
| US | 8.8.8.8:53 | toptelete.top | udp |
| US | 8.8.8.8:53 | telegraf.top | udp |
| US | 8.8.8.8:53 | telegraf.top | udp |
| US | 8.8.8.8:53 | telegraf.top | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| HU | 91.219.236.143:80 | tcp | |
| SC | 185.215.113.29:36224 | tcp |
Files
memory/3148-116-0x0000000002B50000-0x0000000002BFE000-memory.dmp
memory/368-117-0x0000000000400000-0x0000000000408000-memory.dmp
memory/368-118-0x0000000000402DC6-mapping.dmp
memory/2988-119-0x00000000008B0000-0x00000000008C6000-memory.dmp
memory/672-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\26ED.exe
| MD5 | 7690f11e6d889bf25a45954843124d56 |
| SHA1 | 680801e2d8441b7c6a47be69ebe3386670f08554 |
| SHA256 | dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93 |
| SHA512 | 5518ad3299035d020b6e9c39ca7b1ec6344460c9b6c78fb1f249c2f3733f55080c69125c2c7170c1dcf888b29959c3a55c2a7104a986c026243589d4568ff7a5 |
C:\Users\Admin\AppData\Local\Temp\26ED.exe
| MD5 | 7690f11e6d889bf25a45954843124d56 |
| SHA1 | 680801e2d8441b7c6a47be69ebe3386670f08554 |
| SHA256 | dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93 |
| SHA512 | 5518ad3299035d020b6e9c39ca7b1ec6344460c9b6c78fb1f249c2f3733f55080c69125c2c7170c1dcf888b29959c3a55c2a7104a986c026243589d4568ff7a5 |
memory/3440-123-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2B91.exe
| MD5 | e922d31d9e42823f27cb8512b3afe7ac |
| SHA1 | c3acff8045e6ab4668894f9b0a42c274a654b2d8 |
| SHA256 | 18e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872 |
| SHA512 | e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8 |
C:\Users\Admin\AppData\Local\Temp\2B91.exe
| MD5 | e922d31d9e42823f27cb8512b3afe7ac |
| SHA1 | c3acff8045e6ab4668894f9b0a42c274a654b2d8 |
| SHA256 | 18e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872 |
| SHA512 | e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8 |
memory/3440-126-0x0000000000F60000-0x0000000000F61000-memory.dmp
memory/904-129-0x0000000000000000-mapping.dmp
memory/3440-128-0x0000000005790000-0x0000000005791000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\30D2.exe
| MD5 | d985b4cfdceecc3c0fe4f3e4fda4e416 |
| SHA1 | f3c14a4d87569e54faaf0eac73ec1aafa2621dfa |
| SHA256 | a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7 |
| SHA512 | 560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c |
C:\Users\Admin\AppData\Local\Temp\30D2.exe
| MD5 | d985b4cfdceecc3c0fe4f3e4fda4e416 |
| SHA1 | f3c14a4d87569e54faaf0eac73ec1aafa2621dfa |
| SHA256 | a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7 |
| SHA512 | 560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c |
memory/3440-132-0x0000000005730000-0x0000000005731000-memory.dmp
memory/904-134-0x00000000001E0000-0x00000000001E8000-memory.dmp
memory/3440-133-0x0000000005920000-0x0000000005921000-memory.dmp
memory/904-135-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/904-136-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3440-137-0x0000000005E30000-0x0000000005E31000-memory.dmp
memory/668-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3B33.exe
| MD5 | 90e530f2b9bf16c4288fd9860662f76a |
| SHA1 | ff012b5b7ac6694d2ddcd2cd5fd039507c57cee8 |
| SHA256 | f7e7bd5da62a4416a3829567ab4aaa1475b47b9dd8286f35de53a691a3a6ef41 |
| SHA512 | 5f9999859510baa0ee8095d03687ffa8a1f52c3c01dd2967e27aa599edfd8e1751f5bd66338a1830cea8282dbb1e6ef22f208ecde404d30e677a54e2af2559b7 |
C:\Users\Admin\AppData\Local\Temp\3B33.exe
| MD5 | 90e530f2b9bf16c4288fd9860662f76a |
| SHA1 | ff012b5b7ac6694d2ddcd2cd5fd039507c57cee8 |
| SHA256 | f7e7bd5da62a4416a3829567ab4aaa1475b47b9dd8286f35de53a691a3a6ef41 |
| SHA512 | 5f9999859510baa0ee8095d03687ffa8a1f52c3c01dd2967e27aa599edfd8e1751f5bd66338a1830cea8282dbb1e6ef22f208ecde404d30e677a54e2af2559b7 |
memory/2352-143-0x0000000000402DC6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\26ED.exe
| MD5 | 7690f11e6d889bf25a45954843124d56 |
| SHA1 | 680801e2d8441b7c6a47be69ebe3386670f08554 |
| SHA256 | dc2142d26c23172e92bd220a6bbcb44b2e135d0077bd55756aaa5aee7e277c93 |
| SHA512 | 5518ad3299035d020b6e9c39ca7b1ec6344460c9b6c78fb1f249c2f3733f55080c69125c2c7170c1dcf888b29959c3a55c2a7104a986c026243589d4568ff7a5 |
memory/672-145-0x0000000002B50000-0x0000000002BFE000-memory.dmp
memory/1560-146-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1560-147-0x0000000000418EEA-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2B91.exe
| MD5 | e922d31d9e42823f27cb8512b3afe7ac |
| SHA1 | c3acff8045e6ab4668894f9b0a42c274a654b2d8 |
| SHA256 | 18e784c6c045e8bc45a1a2c06d6013ef712cfd63f9b5843e31911fdf1a27a872 |
| SHA512 | e9420bf7113c8be1addb736bfd8051327325256e5f03f83d6851b1f25883df39fe62bfa75b9f7ebab2002aedf1bc281f9f3cbdd44b7b7194adeb4e2789f73ac8 |
memory/1560-151-0x0000000005BC0000-0x0000000005BC1000-memory.dmp
memory/1560-152-0x0000000005630000-0x0000000005631000-memory.dmp
memory/1560-153-0x0000000005760000-0x0000000005761000-memory.dmp
memory/1560-154-0x0000000005690000-0x0000000005691000-memory.dmp
memory/1560-155-0x00000000056F0000-0x00000000056F1000-memory.dmp
memory/1560-156-0x00000000055B0000-0x0000000005BB6000-memory.dmp
memory/2988-157-0x0000000002800000-0x0000000002816000-memory.dmp
memory/668-158-0x0000000002D16000-0x0000000002D39000-memory.dmp
memory/1228-159-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1228-160-0x000000000040CD2F-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3B33.exe
| MD5 | 90e530f2b9bf16c4288fd9860662f76a |
| SHA1 | ff012b5b7ac6694d2ddcd2cd5fd039507c57cee8 |
| SHA256 | f7e7bd5da62a4416a3829567ab4aaa1475b47b9dd8286f35de53a691a3a6ef41 |
| SHA512 | 5f9999859510baa0ee8095d03687ffa8a1f52c3c01dd2967e27aa599edfd8e1751f5bd66338a1830cea8282dbb1e6ef22f208ecde404d30e677a54e2af2559b7 |
memory/1228-162-0x0000000000620000-0x000000000063C000-memory.dmp
memory/1228-164-0x00000000023B0000-0x00000000023CB000-memory.dmp
memory/668-170-0x0000000002BD0000-0x0000000002D1A000-memory.dmp
memory/1228-172-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
memory/1228-171-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1228-173-0x0000000004AC2000-0x0000000004AC3000-memory.dmp
memory/1228-174-0x0000000004AC3000-0x0000000004AC4000-memory.dmp
memory/1228-175-0x0000000004AC4000-0x0000000004AC6000-memory.dmp
memory/1244-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5E6C.exe
| MD5 | 84dd06d1e6237944e337d213947e1949 |
| SHA1 | ee6f9e3a5c363d4ac4dcf449a3c1c590886fe8d5 |
| SHA256 | 72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30 |
| SHA512 | 13f6ff60279e089f3aefb6c57f760bc1377d0452baff33c707be5ff502df01258b5ed6527e729084549a0f50c0af95a412b583abc1779841d9c072f21bea32fb |
C:\Users\Admin\AppData\Local\Temp\5E6C.exe
| MD5 | 84dd06d1e6237944e337d213947e1949 |
| SHA1 | ee6f9e3a5c363d4ac4dcf449a3c1c590886fe8d5 |
| SHA256 | 72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30 |
| SHA512 | 13f6ff60279e089f3aefb6c57f760bc1377d0452baff33c707be5ff502df01258b5ed6527e729084549a0f50c0af95a412b583abc1779841d9c072f21bea32fb |
memory/1560-181-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/1560-183-0x0000000006590000-0x0000000006591000-memory.dmp
memory/3860-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\669B.exe
| MD5 | d5aae631311506296b13d932738c431a |
| SHA1 | 646f40d26c727a2f93a467be89f5498b502f72a8 |
| SHA256 | 09b1f2d57d6494a59909a331d18afb0546b32fefd9086a7627b31a06c7c9ea7b |
| SHA512 | 64dbdf013a24a7d537cc017302f1d3a8a4311023695c9cd1f7d01859a3e9d119a5c3ed03f43904f00689298fd4a5e194926044b20cd13fcaa93a5ace122a96d4 |
C:\Users\Admin\AppData\Local\Temp\669B.exe
| MD5 | d5aae631311506296b13d932738c431a |
| SHA1 | 646f40d26c727a2f93a467be89f5498b502f72a8 |
| SHA256 | 09b1f2d57d6494a59909a331d18afb0546b32fefd9086a7627b31a06c7c9ea7b |
| SHA512 | 64dbdf013a24a7d537cc017302f1d3a8a4311023695c9cd1f7d01859a3e9d119a5c3ed03f43904f00689298fd4a5e194926044b20cd13fcaa93a5ace122a96d4 |
memory/1244-188-0x0000000004820000-0x00000000048A3000-memory.dmp
memory/1244-189-0x0000000000400000-0x0000000002BB3000-memory.dmp
memory/2896-190-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WinSup\PCICL32.dll
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
C:\Users\Admin\AppData\Roaming\WinSup\client32.exe
| MD5 | f76954b68cc390f8009f1a052283a740 |
| SHA1 | 3112a39aad950045d6422fb2abe98bed05931e6c |
| SHA256 | 63315df7981130853d75dc753e5776bdf371811bcfce351557c1e45afdd1ebfb |
| SHA512 | d3aea0867b488161f62e43e7c250ad3917713b8b183139fb6e06c71594fb0cec769e1494b7cc257117992ae4aa891e056f99c25431ae19f032b1ba779051a880 |
C:\Users\Admin\AppData\Roaming\WinSup\client32.exe
| MD5 | f76954b68cc390f8009f1a052283a740 |
| SHA1 | 3112a39aad950045d6422fb2abe98bed05931e6c |
| SHA256 | 63315df7981130853d75dc753e5776bdf371811bcfce351557c1e45afdd1ebfb |
| SHA512 | d3aea0867b488161f62e43e7c250ad3917713b8b183139fb6e06c71594fb0cec769e1494b7cc257117992ae4aa891e056f99c25431ae19f032b1ba779051a880 |
\Users\Admin\AppData\Roaming\WinSup\PCICL32.DLL
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
\Users\Admin\AppData\Roaming\WinSup\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Roaming\WinSup\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\WinSup\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
\Users\Admin\AppData\Roaming\WinSup\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
\Users\Admin\AppData\Roaming\WinSup\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
\Users\Admin\AppData\Roaming\WinSup\PCICHEK.DLL
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\WinSup\pcichek.dll
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\WinSup\client32.ini
| MD5 | a92b98b93eb9300863341b02a9c10b86 |
| SHA1 | 73df28c26d7dfa9b663afbe556b5c318a28b474d |
| SHA256 | 2bbbfcbc30c0bb04fa94a9dbdc842ec7c9e6f5fee0bdbe22776460496cfc13bd |
| SHA512 | 82f18a84babb91cf4aa9db27972a2ad6be1f33cd687499e4de76bd264f0ad1fe6df8fa216f9328fd33ad0ad558516638b9c2f515ec4c7c88c642cd6e53f0a198 |
C:\Users\Admin\AppData\Roaming\WinSup\NSM.LIC
| MD5 | 8614c2008044a081e9d26d8db1571f4a |
| SHA1 | 1b007f05c289d0b71d542520b25fe65c6b6fcbe3 |
| SHA256 | df622fc8bc605023730d3ad952d69fcbd8383ce5440d63da0df20fb139355ec9 |
| SHA512 | 449244a508daaacde53078b826f7b482650acc3f61e8235fa892a737bebbecb178061d0aa1e99cd74da7885c86cebb2727d6e85384ecd68187d7e6e94f018ae9 |
C:\Users\Admin\AppData\Roaming\WinSup\TCCTL32.DLL
| MD5 | eab603d12705752e3d268d86dff74ed4 |
| SHA1 | 01873977c871d3346d795cf7e3888685de9f0b16 |
| SHA256 | 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea |
| SHA512 | 77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3 |
\Users\Admin\AppData\Roaming\WinSup\TCCTL32.DLL
| MD5 | eab603d12705752e3d268d86dff74ed4 |
| SHA1 | 01873977c871d3346d795cf7e3888685de9f0b16 |
| SHA256 | 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea |
| SHA512 | 77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3 |
memory/1092-206-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1092-207-0x0000000000402998-mapping.dmp
C:\Users\Admin\AppData\Roaming\WinSup\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
\Users\Admin\AppData\Roaming\WinSup\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
C:\Users\Admin\AppData\Local\Temp\5E6C.exe
| MD5 | 84dd06d1e6237944e337d213947e1949 |
| SHA1 | ee6f9e3a5c363d4ac4dcf449a3c1c590886fe8d5 |
| SHA256 | 72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30 |
| SHA512 | 13f6ff60279e089f3aefb6c57f760bc1377d0452baff33c707be5ff502df01258b5ed6527e729084549a0f50c0af95a412b583abc1779841d9c072f21bea32fb |
memory/1560-211-0x00000000070D0000-0x00000000070D1000-memory.dmp
memory/1560-212-0x00000000077D0000-0x00000000077D1000-memory.dmp
memory/1244-213-0x00000000048B0000-0x0000000004913000-memory.dmp
memory/1244-214-0x0000000004920000-0x0000000004990000-memory.dmp
memory/1092-215-0x0000000000400000-0x0000000000491000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2B91.exe.log
| MD5 | 41fbed686f5700fc29aaccf83e8ba7fd |
| SHA1 | 5271bc29538f11e42a3b600c8dc727186e912456 |
| SHA256 | df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437 |
| SHA512 | 234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034 |
memory/1092-217-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1092-219-0x0000000000610000-0x000000000069E000-memory.dmp
memory/1092-218-0x00000000004A0000-0x00000000005EA000-memory.dmp
memory/1092-220-0x0000000000400000-0x0000000000491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C371.exe
| MD5 | 4d7c3ecd1ff3cd2810b8e962bff7618c |
| SHA1 | 130c35cbd727785b069e848ea6f065b6379cc325 |
| SHA256 | c44d089d1ea13e1d385c7baa0bc9f8ecd37cc13aada11d889e6a0f50ec3144b3 |
| SHA512 | e550c307cfca5a0d06acbd60dfa9c48bb41f97b454e5123a1b1d7112a931ec24247a45a58a2757888da0946595047ed7222505ec36a731182b9327b1c72c6d5a |
memory/596-221-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C371.exe
| MD5 | 4d7c3ecd1ff3cd2810b8e962bff7618c |
| SHA1 | 130c35cbd727785b069e848ea6f065b6379cc325 |
| SHA256 | c44d089d1ea13e1d385c7baa0bc9f8ecd37cc13aada11d889e6a0f50ec3144b3 |
| SHA512 | e550c307cfca5a0d06acbd60dfa9c48bb41f97b454e5123a1b1d7112a931ec24247a45a58a2757888da0946595047ed7222505ec36a731182b9327b1c72c6d5a |
memory/1168-224-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C5E3.exe
| MD5 | 4601fbdea22dabafeb2b15e1b2df1798 |
| SHA1 | 74e229719501721acbd56e844751df322a9b6b20 |
| SHA256 | c3fe6eb28ee75fe22ea3bf8c6a15db2c9f7bc7f02158dffe500eddd9a2292a5f |
| SHA512 | 508d3bc1d8251498b6feec3bdfd32c7c50fe76e538d388847697bc370d1995986bde16c15dff9f77020ee3690ed45cf07f42031f875df5f3d0a7f9d5e728b476 |
C:\Users\Admin\AppData\Local\Temp\C5E3.exe
| MD5 | 4601fbdea22dabafeb2b15e1b2df1798 |
| SHA1 | 74e229719501721acbd56e844751df322a9b6b20 |
| SHA256 | c3fe6eb28ee75fe22ea3bf8c6a15db2c9f7bc7f02158dffe500eddd9a2292a5f |
| SHA512 | 508d3bc1d8251498b6feec3bdfd32c7c50fe76e538d388847697bc370d1995986bde16c15dff9f77020ee3690ed45cf07f42031f875df5f3d0a7f9d5e728b476 |
memory/1168-227-0x0000000000DC0000-0x0000000000DC1000-memory.dmp
memory/1168-229-0x00000000056B0000-0x00000000056B1000-memory.dmp
memory/2260-230-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CF0C.exe
| MD5 | e2b1b315921b100a562396ad39aa4537 |
| SHA1 | 99033700fe2306e7982e2c6194d676aa88697586 |
| SHA256 | f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379 |
| SHA512 | 93cd15420ffd798cf29ce5513f1c4512460baff12f98e111b95bab694d91d68cb840aa139eb58756f526da37d3551b015997d586d080e666a4ce04806dae6735 |
C:\Users\Admin\AppData\Local\Temp\CF0C.exe
| MD5 | e2b1b315921b100a562396ad39aa4537 |
| SHA1 | 99033700fe2306e7982e2c6194d676aa88697586 |
| SHA256 | f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379 |
| SHA512 | 93cd15420ffd798cf29ce5513f1c4512460baff12f98e111b95bab694d91d68cb840aa139eb58756f526da37d3551b015997d586d080e666a4ce04806dae6735 |
memory/596-233-0x0000000002CD6000-0x0000000002D26000-memory.dmp
memory/596-234-0x00000000047E0000-0x000000000486F000-memory.dmp
memory/596-235-0x0000000000400000-0x0000000002B8D000-memory.dmp
memory/2260-236-0x0000000077930000-0x0000000077ABE000-memory.dmp
memory/2260-237-0x0000000000380000-0x0000000000381000-memory.dmp
memory/2260-240-0x00000000056E0000-0x00000000056E1000-memory.dmp
memory/2260-242-0x00000000058D0000-0x00000000058D1000-memory.dmp
memory/2580-243-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jNj7PCNNh7.bat
| MD5 | 3197b65ab59ed80ff1b2aa401dfbed84 |
| SHA1 | c611d2b0a9fbacc97a719e1c35a8ad44d93ebbe5 |
| SHA256 | 50e519c7a5ca54aea7d2887e08ba87ce8d7beb138685963453de9a69866fefad |
| SHA512 | 401095ef4d7d4a96d9c7fd76cbde4dbd5be61a675f19506d3a866e8e8b5e263e39d9410488459f81f40a5339a1fedcd647eeae28b79296849ab97494b3da8f23 |
memory/1496-245-0x0000000000000000-mapping.dmp
memory/3312-246-0x0000000000000000-mapping.dmp
memory/1168-247-0x0000000006370000-0x0000000006427000-memory.dmp
memory/1168-251-0x0000000006E30000-0x0000000006EB0000-memory.dmp
memory/3496-253-0x00000000004A115D-mapping.dmp
memory/3496-252-0x0000000000400000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C5E3.exe
| MD5 | 4601fbdea22dabafeb2b15e1b2df1798 |
| SHA1 | 74e229719501721acbd56e844751df322a9b6b20 |
| SHA256 | c3fe6eb28ee75fe22ea3bf8c6a15db2c9f7bc7f02158dffe500eddd9a2292a5f |
| SHA512 | 508d3bc1d8251498b6feec3bdfd32c7c50fe76e538d388847697bc370d1995986bde16c15dff9f77020ee3690ed45cf07f42031f875df5f3d0a7f9d5e728b476 |
memory/3496-255-0x0000000000400000-0x00000000004D8000-memory.dmp
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/1720-258-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CF0C.exe
| MD5 | e2b1b315921b100a562396ad39aa4537 |
| SHA1 | 99033700fe2306e7982e2c6194d676aa88697586 |
| SHA256 | f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379 |
| SHA512 | 93cd15420ffd798cf29ce5513f1c4512460baff12f98e111b95bab694d91d68cb840aa139eb58756f526da37d3551b015997d586d080e666a4ce04806dae6735 |
memory/1720-260-0x0000000077930000-0x0000000077ABE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CF0C.exe.log
| MD5 | 30dac48851f8b2059e151906e6e426e1 |
| SHA1 | 2c35f29ebddcbf580dc08feec335b4f880b7f71c |
| SHA256 | df8794ea1be944f317a907c3bcd859bb85f56994a39cf1733744aa95e66cfd34 |
| SHA512 | 9f22b3fd9de3f58b8ad6c5ef36cab272f9b11eda5f4ab68c8dd2e8a4f4e575efe86ff0227ea10f2ef01d8430a8a1f5c98d286fb0aa8e7dee4b9e93414f74660e |
memory/1720-267-0x00000000050C0000-0x00000000050C1000-memory.dmp
memory/3180-268-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\KBDRO\WerFault.exe
| MD5 | e2b1b315921b100a562396ad39aa4537 |
| SHA1 | 99033700fe2306e7982e2c6194d676aa88697586 |
| SHA256 | f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379 |
| SHA512 | 93cd15420ffd798cf29ce5513f1c4512460baff12f98e111b95bab694d91d68cb840aa139eb58756f526da37d3551b015997d586d080e666a4ce04806dae6735 |
C:\Windows\SysWOW64\KBDRO\WerFault.exe
| MD5 | e2b1b315921b100a562396ad39aa4537 |
| SHA1 | 99033700fe2306e7982e2c6194d676aa88697586 |
| SHA256 | f071709c71c19d16da4a7d460f1559542e02954d0e714410d1c615b67ce22379 |
| SHA512 | 93cd15420ffd798cf29ce5513f1c4512460baff12f98e111b95bab694d91d68cb840aa139eb58756f526da37d3551b015997d586d080e666a4ce04806dae6735 |
memory/3180-271-0x0000000077930000-0x0000000077ABE000-memory.dmp
memory/3180-272-0x0000000000B60000-0x0000000000B61000-memory.dmp
memory/3180-276-0x0000000004EE0000-0x0000000004EE4000-memory.dmp
memory/3180-277-0x0000000004F90000-0x0000000004F91000-memory.dmp