Analysis Overview
SHA256
76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659
Threat Level: Known bad
The file 76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659 was found to be: Known bad.
Malicious Activity Summary
Vidar
RedLine payload
SmokeLoader
RedLine
Djvu Ransomware
Danabot
Detected Djvu ransomware
Detects Smokeloader packer
Executes dropped EXE
Downloads MZ/PE file
Reads user/profile data of web browsers
Deletes itself
Modifies file permissions
Loads dropped DLL
Accesses 2FA software files, possible credential harvesting
Looks up external IP address via web service
Adds Run key to start application
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Runs ping.exe
outlook_office_path
Checks SCSI registry key(s)
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-11 10:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-11 10:41
Reported
2022-10-11 10:44
Platform
win10-20220901-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Danabot
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1DB9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\204A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\255C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\255C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4654.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4B08.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\255C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\255C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2EC2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\96c22d43-a8e4-4a05-80ae-a078ed1cc310\\255C.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\255C.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\204A.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\204A.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 528 set thread context of 4808 | N/A | C:\Users\Admin\AppData\Local\Temp\255C.exe | C:\Users\Admin\AppData\Local\Temp\255C.exe |
| PID 4860 set thread context of 3104 | N/A | C:\Users\Admin\AppData\Local\Temp\255C.exe | C:\Users\Admin\AppData\Local\Temp\255C.exe |
| PID 4192 set thread context of 2248 | N/A | C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe | C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe |
| PID 4760 set thread context of 4564 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4B08.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4654.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4654.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4654.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4654.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659.exe
"C:\Users\Admin\AppData\Local\Temp\76f3e06c94c80fca536c4534b4163457a0cb8fc579d3f986054d5fe70554f659.exe"
C:\Users\Admin\AppData\Local\Temp\1DB9.exe
C:\Users\Admin\AppData\Local\Temp\1DB9.exe
C:\Users\Admin\AppData\Local\Temp\204A.exe
C:\Users\Admin\AppData\Local\Temp\204A.exe
C:\Users\Admin\AppData\Local\Temp\255C.exe
C:\Users\Admin\AppData\Local\Temp\255C.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2B68.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2B68.dll
C:\Windows\SysWOW64\ftp.exe
ftp /?
C:\Users\Admin\AppData\Local\Temp\255C.exe
C:\Users\Admin\AppData\Local\Temp\255C.exe
C:\Users\Admin\AppData\Local\Temp\4654.exe
C:\Users\Admin\AppData\Local\Temp\4654.exe
C:\Users\Admin\AppData\Local\Temp\4B08.exe
C:\Users\Admin\AppData\Local\Temp\4B08.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 476
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\96c22d43-a8e4-4a05-80ae-a078ed1cc310" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Preferences.vsd & ping -n 5 localhost
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\255C.exe
"C:\Users\Admin\AppData\Local\Temp\255C.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\255C.exe
"C:\Users\Admin\AppData\Local\Temp\255C.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe
"C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe"
C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build3.exe
"C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build3.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe
"C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^zsXAL$" Simulation.vsd
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif
Bags.exe.pif f
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
C:\Users\Admin\AppData\Local\Temp\2EC2.exe
C:\Users\Admin\AppData\Local\Temp\2EC2.exe
C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | furubujjul.net | udp |
| US | 172.67.203.213:80 | furubujjul.net | tcp |
| CH | 179.43.163.115:80 | 179.43.163.115 | tcp |
| US | 20.42.73.24:443 | tcp | |
| AT | 45.138.74.230:80 | 45.138.74.230 | tcp |
| US | 8.8.8.8:53 | pelegisr.com | udp |
| NL | 185.220.204.62:443 | pelegisr.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 172.67.203.213:80 | furubujjul.net | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | rgyui.top | udp |
| US | 8.8.8.8:53 | winnlinne.com | udp |
| KR | 210.92.250.133:80 | rgyui.top | tcp |
| NL | 217.195.155.154:8081 | tcp | |
| UZ | 195.158.3.162:80 | winnlinne.com | tcp |
| US | 8.8.8.8:53 | get.geojs.io | udp |
| US | 172.67.70.233:443 | get.geojs.io | tcp |
| UZ | 195.158.3.162:80 | winnlinne.com | tcp |
| US | 8.8.8.8:53 | gayworld.at | udp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| DE | 23.88.115.141:80 | 23.88.115.141 | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | GqaSrgKXZxBgAB.GqaSrgKXZxBgAB | udp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | 220929175332293.kaj.zxd12.fun | udp |
| LV | 185.82.126.147:80 | 220929175332293.kaj.zxd12.fun | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| NL | 213.227.155.193:80 | 213.227.155.193 | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | disk.yandex.ru | udp |
| RU | 87.250.250.50:443 | disk.yandex.ru | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | hrabrlonian.xyz | udp |
| LV | 94.140.112.18:81 | hrabrlonian.xyz | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
| KR | 211.119.84.112:80 | gayworld.at | tcp |
Files
memory/3048-117-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-118-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-119-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-120-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-121-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-122-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-123-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-124-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-125-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-126-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-127-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-128-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-129-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-130-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-131-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-132-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-133-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-134-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-135-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-136-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-137-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-138-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-140-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-141-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-142-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-144-0x0000000000680000-0x00000000007CA000-memory.dmp
memory/3048-147-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-146-0x00000000022B0000-0x00000000022B9000-memory.dmp
memory/3048-148-0x0000000000400000-0x0000000000592000-memory.dmp
memory/3048-145-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-143-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-149-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-150-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-151-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-152-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-153-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/3048-154-0x0000000000400000-0x0000000000592000-memory.dmp
memory/3036-157-0x0000000000660000-0x0000000000670000-memory.dmp
memory/3036-159-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-160-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-162-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-163-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-164-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-165-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-168-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-169-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-171-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-170-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-172-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-173-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-176-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-177-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-178-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-179-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-180-0x0000000000660000-0x0000000000670000-memory.dmp
memory/3036-181-0x0000000000770000-0x0000000000780000-memory.dmp
memory/3036-182-0x00000000022A0000-0x00000000022B0000-memory.dmp
memory/3036-183-0x00000000022A0000-0x00000000022B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1DB9.exe
| MD5 | 5afa9df2f454f69f8679a41d64e03ede |
| SHA1 | 96f7ce338de32a54f16b1744ce6caa0c2180479d |
| SHA256 | 430797ef1d345f9cdc9fd6da4f139dd960b4bb757fd435600826d9c1bd77cf0a |
| SHA512 | 7e8251bd0a805f5334c6a93d0c3908795192bd454bb06652cade6d23fb873e022e923b5c1c6dd42bb7bdd052b1eac5caca6f2831b6eef81ac3b778a0b41986a5 |
memory/2892-184-0x0000000000000000-mapping.dmp
memory/2892-186-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-187-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-188-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-189-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-190-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-191-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-194-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-196-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-197-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/4432-201-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-202-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/2892-200-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/4432-199-0x0000000077470000-0x00000000775FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\204A.exe
| MD5 | 52d4af6eab9e603ed974524ea0a7103c |
| SHA1 | 0bd5d7b73a649c17c40685fab934aeb13d734c82 |
| SHA256 | b7d5fb28fcb3168a491be679b71c79ad28e4dde619361671095c81c2b6c97970 |
| SHA512 | f9211e95ea9aec395e32165c82f2663924a2097e454cd7c8e3e8bc394073ec963be4ec7a5b6193368f403e502efa475b0a218565b8860d18d57f792290421e25 |
memory/4432-195-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1DB9.exe
| MD5 | 5afa9df2f454f69f8679a41d64e03ede |
| SHA1 | 96f7ce338de32a54f16b1744ce6caa0c2180479d |
| SHA256 | 430797ef1d345f9cdc9fd6da4f139dd960b4bb757fd435600826d9c1bd77cf0a |
| SHA512 | 7e8251bd0a805f5334c6a93d0c3908795192bd454bb06652cade6d23fb873e022e923b5c1c6dd42bb7bdd052b1eac5caca6f2831b6eef81ac3b778a0b41986a5 |
memory/2892-192-0x0000000077470000-0x00000000775FE000-memory.dmp
memory/528-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\255C.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
C:\Users\Admin\AppData\Local\Temp\255C.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/4568-253-0x0000000000000000-mapping.dmp
memory/3036-252-0x00000000022A0000-0x00000000022B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2B68.dll
| MD5 | 29c7e0ed33dcb03765ee907e37afb400 |
| SHA1 | 76e2db33cc97134c4ce96e625309503302226eda |
| SHA256 | 51214dad7dbee64c2c7113c124c6413690baa43a0429f851c1ac6b98f88dc820 |
| SHA512 | 58efcffe6c31275be39e435e54858f62bdb03aeb6d5b79977e86cf7d3e9a179f38c2f8fe19fcbce59b53bd7140cd1e23a90bed6e3f4944ec55c5f74bf5f35962 |
memory/3196-262-0x0000000000000000-mapping.dmp
memory/3988-321-0x0000000000000000-mapping.dmp
memory/528-341-0x00000000022F0000-0x000000000238D000-memory.dmp
memory/528-344-0x00000000023D0000-0x00000000024EB000-memory.dmp
\Users\Admin\AppData\Local\Temp\2B68.dll
| MD5 | 29c7e0ed33dcb03765ee907e37afb400 |
| SHA1 | 76e2db33cc97134c4ce96e625309503302226eda |
| SHA256 | 51214dad7dbee64c2c7113c124c6413690baa43a0429f851c1ac6b98f88dc820 |
| SHA512 | 58efcffe6c31275be39e435e54858f62bdb03aeb6d5b79977e86cf7d3e9a179f38c2f8fe19fcbce59b53bd7140cd1e23a90bed6e3f4944ec55c5f74bf5f35962 |
memory/4808-356-0x0000000000424141-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\255C.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/1836-391-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4654.exe
| MD5 | ce3318950278bd63e24fb0730d62fadb |
| SHA1 | ecf6360b076d98a9c92d2d6c981e1a010e775e01 |
| SHA256 | 4a708183dbd64bbfc5c84d4cef1ae0ef4717db52e952b6dfad147d23cdeef648 |
| SHA512 | 21ed294ec27726c19b91dbc3bf6d9405e39e5f9925b2439ba947fc3d805a7fac4a0918018210ed8168f02bd49e6cac94c30960aa62d1e8cbad634284f36ad66f |
memory/3196-412-0x0000000004800000-0x0000000004940000-memory.dmp
memory/1884-418-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4654.exe
| MD5 | ce3318950278bd63e24fb0730d62fadb |
| SHA1 | ecf6360b076d98a9c92d2d6c981e1a010e775e01 |
| SHA256 | 4a708183dbd64bbfc5c84d4cef1ae0ef4717db52e952b6dfad147d23cdeef648 |
| SHA512 | 21ed294ec27726c19b91dbc3bf6d9405e39e5f9925b2439ba947fc3d805a7fac4a0918018210ed8168f02bd49e6cac94c30960aa62d1e8cbad634284f36ad66f |
memory/3196-415-0x0000000004A80000-0x0000000004BBE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4B08.exe
| MD5 | 536440ca09522d4d522db984a26504ac |
| SHA1 | 4c300f3847ea553f8be8daba1220d1340b7ed52a |
| SHA256 | 19d1f17afb4d7c5fe563183393068e05360b4e5f6076b479936476aae145dce1 |
| SHA512 | 940f15ca5b9836ee5b22ab6a6e84821c6714ca2226b14553c5d33dd7184280e340c9c4cf21f750b9af8af4ccbebfb545f1766bb5e6b54956f0d7a52676653c6e |
memory/2100-437-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4B08.exe
| MD5 | 536440ca09522d4d522db984a26504ac |
| SHA1 | 4c300f3847ea553f8be8daba1220d1340b7ed52a |
| SHA256 | 19d1f17afb4d7c5fe563183393068e05360b4e5f6076b479936476aae145dce1 |
| SHA512 | 940f15ca5b9836ee5b22ab6a6e84821c6714ca2226b14553c5d33dd7184280e340c9c4cf21f750b9af8af4ccbebfb545f1766bb5e6b54956f0d7a52676653c6e |
memory/2204-467-0x0000000000000000-mapping.dmp
memory/4808-472-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2204-476-0x0000000000B60000-0x0000000000B6C000-memory.dmp
memory/1836-554-0x00000000006C0000-0x00000000006C9000-memory.dmp
memory/1836-550-0x00000000006E0000-0x000000000082A000-memory.dmp
memory/1836-558-0x0000000000400000-0x0000000000592000-memory.dmp
memory/1884-560-0x00000000005F0000-0x000000000069E000-memory.dmp
memory/1884-577-0x0000000000400000-0x0000000000593000-memory.dmp
memory/2100-578-0x0000000000D70000-0x0000000000DE5000-memory.dmp
memory/2100-579-0x0000000000D00000-0x0000000000D6B000-memory.dmp
memory/5044-592-0x0000000000000000-mapping.dmp
memory/2100-596-0x0000000000D00000-0x0000000000D6B000-memory.dmp
memory/1836-598-0x0000000000400000-0x0000000000592000-memory.dmp
memory/4808-602-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3196-605-0x0000000004A80000-0x0000000004BBE000-memory.dmp
memory/3448-615-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Preferences.vsd
| MD5 | 23df91b58a61d477860ae3d23b098968 |
| SHA1 | b474e7cd93994fbbe780842e3cbebcd833981a34 |
| SHA256 | 7f50c3b8b4e5f2117c562a78e2a08c65a25c019e3341c649b2a44b7873ae190d |
| SHA512 | ea05e91b616ec2861ae2586fbd17120fd00e3b059c3200a7676a57146344bc54ff418902912ac2a184eb7e0ab1926b9a56774a10ba68166c030319a6974f4331 |
memory/5084-623-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\96c22d43-a8e4-4a05-80ae-a078ed1cc310\255C.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/4860-645-0x0000000000000000-mapping.dmp
memory/4808-647-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\255C.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/1884-668-0x00000000005F0000-0x000000000069E000-memory.dmp
memory/3104-677-0x0000000000424141-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\255C.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/3104-728-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2892-731-0x00000000031A0000-0x00000000036BF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 7f8548cd24365ac33eef4a07d914fcff |
| SHA1 | 136711ce4e16bda7ef85b5a6dcc2ee3d54feb3c5 |
| SHA256 | 7c067aa82a6eb9082b5d1a0f58c4e2a1c43f9b9c1cf86114e2e985cbf56b5492 |
| SHA512 | 3dc02cd9abeff9043bf17d1ce9090f5a08cb5e91574391a23338afc8b627f113e062b6cd84418fe92789e5b24511b6cc5e3604b30ee12207052360d3006aca27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 6f59ed058aa06aaf5ec6213b955aabd4 |
| SHA1 | baf7b828a563b8fb6111e4ce35e0055575ad80b4 |
| SHA256 | 2d82e2629fa2e08f28b43b15da43dff56c7f4b23b39d66109c7c61998e35b4d5 |
| SHA512 | 6b0f041dafb98b9eaf70ac0d20a98c56e1c42231c4a4ae6e11582b20d20bf8f96dfd7747739a10d77368994441adb0e181b356f8569697b1f22ab4fe931170ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 65b48b35a4d333c34a1acb88a8581f6f |
| SHA1 | 11c434cb7f814c9cbd379c1fb21e66fed196816f |
| SHA256 | 2024cca1dde4fd1d33f55eca0fae2b487e7e138b78d1eb3481d386bea40474b9 |
| SHA512 | 319b331591f8d39bffcd4bbad7b6a801c0f30d973e8f0eeb2576e15cf8bdf8ed6054dc73d326934565623e585b2418acae6e577454ce75beaf876a83192abdb5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 0698dbc93ba7b6bef73ba316695f8317 |
| SHA1 | a444078ff1eb7c88f52cb4e324365926b491ed47 |
| SHA256 | 263292040d77903899257c1d21201dc64d6f8d6b5a1d945cd5b28d0124d7906c |
| SHA512 | ebacaa7009aebb88199cd70fd0bb3afe69ed300318cb633edd1c0404e42aef829617f589bcbad6cb7ab4bd0a8ae87f7df1435c786184ecc5de61c8fc6950a900 |
memory/2892-759-0x0000000000400000-0x00000000009A1000-memory.dmp
memory/224-770-0x0000000000000000-mapping.dmp
memory/2272-778-0x0000000000000000-mapping.dmp
memory/2432-816-0x0000000000000000-mapping.dmp
memory/2792-880-0x0000000000000000-mapping.dmp
memory/308-881-0x0000000000000000-mapping.dmp
memory/4192-928-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe
| MD5 | 9c3d4324a153c6438f48083bc333a962 |
| SHA1 | 033e80e2008f4f62d2716ce0473bb0d763d52277 |
| SHA256 | 5ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98 |
| SHA512 | 8cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd |
C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe
| MD5 | 9c3d4324a153c6438f48083bc333a962 |
| SHA1 | 033e80e2008f4f62d2716ce0473bb0d763d52277 |
| SHA256 | 5ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98 |
| SHA512 | 8cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd |
memory/4512-961-0x0000000000000000-mapping.dmp
memory/3916-971-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4476-1012-0x0000000000000000-mapping.dmp
memory/3104-1027-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3844-1026-0x0000000000000000-mapping.dmp
memory/4192-1059-0x00000000008DA000-0x0000000000906000-memory.dmp
memory/4192-1063-0x00000000005A0000-0x00000000006EA000-memory.dmp
memory/2248-1079-0x000000000042161D-mapping.dmp
memory/4192-1086-0x00000000008DA000-0x0000000000906000-memory.dmp
C:\Users\Admin\AppData\Local\203632c5-626a-430d-8241-444ce993c20e\build2.exe
| MD5 | 9c3d4324a153c6438f48083bc333a962 |
| SHA1 | 033e80e2008f4f62d2716ce0473bb0d763d52277 |
| SHA256 | 5ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98 |
| SHA512 | 8cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd |
memory/2892-1103-0x0000000000400000-0x00000000009A1000-memory.dmp
memory/2248-1139-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1440-1161-0x0000000000000000-mapping.dmp
memory/1324-1187-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Simulation.vsd
| MD5 | 75d2326d2d1bb6de24f3dda341482c13 |
| SHA1 | 38c9138a24824073eef171cf365ebb01a2c4937f |
| SHA256 | b6031d6424a4221830e29153fc7125dbd251b454539de76fee852a6875840431 |
| SHA512 | b3521bdc95c871ffb8f5866f2f9699ed8343715437e40f9da42a4740e1b279ddb6d4aa85229485baf8331bba5868c4299860031888c322e96b29ce6aa3761dc3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Euros.vsd
| MD5 | e0352752dddef97bad04fa25c81fe867 |
| SHA1 | 1c040b67598bbccdd510a49f842668935365fd71 |
| SHA256 | 97208cb34d8b0af9e7bf3b8400ddd249337a58c4be8a38f39e3874900a73d455 |
| SHA512 | 331ac25e2122779710fd0c4b3818df6ab3c1ea7df2d406953cfe39734dac32283f849a37766c0070fcd2dba82502c22b2e28867dcf64a9931cc5d8c14e4a1240 |
memory/3672-1207-0x0000000000000000-mapping.dmp
memory/4760-1242-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif
| MD5 | 6987e4cd3f256462f422326a7ef115b9 |
| SHA1 | 71672a495b4603ecfec40a65254cb3ba8766bbe0 |
| SHA256 | 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0 |
| SHA512 | 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4 |
memory/2280-1296-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif
| MD5 | 6987e4cd3f256462f422326a7ef115b9 |
| SHA1 | 71672a495b4603ecfec40a65254cb3ba8766bbe0 |
| SHA256 | 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0 |
| SHA512 | 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2892-1395-0x0000000000400000-0x00000000009A1000-memory.dmp
memory/2680-1397-0x0000000000000000-mapping.dmp
memory/2248-1409-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3048-1419-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2EC2.exe
| MD5 | bc7e8331829dfc4e5c4e0f8ffff20c34 |
| SHA1 | a740805129a2be62cd15b2c09c9bb122d1acce83 |
| SHA256 | 37f129807be2028840c6f99dccc3589a3988c93582e53f0fea758001d0858179 |
| SHA512 | a9b4cbde3d804937c8d3a0adde9ff58d60858a25801ab3e2d64a2f3c8cd7158e895c97823ac8c682472c99b5e9a40a59679a663e0be64af6b145f78f822d025c |
C:\Users\Admin\AppData\Local\Temp\2EC2.exe
| MD5 | bc7e8331829dfc4e5c4e0f8ffff20c34 |
| SHA1 | a740805129a2be62cd15b2c09c9bb122d1acce83 |
| SHA256 | 37f129807be2028840c6f99dccc3589a3988c93582e53f0fea758001d0858179 |
| SHA512 | a9b4cbde3d804937c8d3a0adde9ff58d60858a25801ab3e2d64a2f3c8cd7158e895c97823ac8c682472c99b5e9a40a59679a663e0be64af6b145f78f822d025c |
memory/2400-1452-0x0000000000000000-mapping.dmp
memory/3048-1458-0x0000000002330000-0x0000000002456000-memory.dmp
memory/3048-1461-0x00000000024B0000-0x0000000002772000-memory.dmp
memory/3048-1463-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/3048-1467-0x0000000002330000-0x0000000002456000-memory.dmp
memory/3048-1468-0x0000000000400000-0x00000000006CE000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
memory/4464-1512-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
memory/4564-1541-0x000000000092213A-mapping.dmp
memory/4564-1574-0x0000000000900000-0x0000000000928000-memory.dmp
memory/4564-1595-0x0000000005400000-0x0000000005A06000-memory.dmp
memory/4564-1596-0x0000000004F90000-0x000000000509A000-memory.dmp
memory/4564-1598-0x0000000004EC0000-0x0000000004ED2000-memory.dmp
memory/4564-1600-0x0000000004F20000-0x0000000004F5E000-memory.dmp
memory/4564-1602-0x00000000050A0000-0x00000000050EB000-memory.dmp