Analysis Overview
SHA256
f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82
Threat Level: Known bad
The file f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82 was found to be: Known bad.
Malicious Activity Summary
Detects Smokeloader packer
RedLine
SmokeLoader
Vidar
Danabot
Djvu Ransomware
Detected Djvu ransomware
RedLine payload
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Loads dropped DLL
Modifies file permissions
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
outlook_win_path
Suspicious use of WriteProcessMemory
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious use of SendNotifyMessage
Runs ping.exe
Enumerates processes with tasklist
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-11 12:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-11 12:32
Reported
2022-10-11 12:35
Platform
win10-20220901-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Danabot
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22DA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2897.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5160.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5614.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2DB8.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\2897.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2897.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1a017708-c8b1-4b97-833e-806e13903d0d\\30F5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\30F5.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4908 set thread context of 4308 | N/A | C:\Users\Admin\AppData\Local\Temp\30F5.exe | C:\Users\Admin\AppData\Local\Temp\30F5.exe |
| PID 4480 set thread context of 4712 | N/A | C:\Users\Admin\AppData\Local\Temp\30F5.exe | C:\Users\Admin\AppData\Local\Temp\30F5.exe |
| PID 5096 set thread context of 4768 | N/A | C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe | C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe |
| PID 4912 set thread context of 4352 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5614.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5160.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5160.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5160.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5160.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82.exe
"C:\Users\Admin\AppData\Local\Temp\f4fbc06c3470e09decdd7aaaf248188cab8400f70065c5d55becd8c804a57d82.exe"
C:\Users\Admin\AppData\Local\Temp\22DA.exe
C:\Users\Admin\AppData\Local\Temp\22DA.exe
C:\Users\Admin\AppData\Local\Temp\2897.exe
C:\Users\Admin\AppData\Local\Temp\2897.exe
C:\Users\Admin\AppData\Local\Temp\30F5.exe
C:\Users\Admin\AppData\Local\Temp\30F5.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39DF.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\39DF.dll
C:\Windows\SysWOW64\ftp.exe
ftp /?
C:\Users\Admin\AppData\Local\Temp\30F5.exe
C:\Users\Admin\AppData\Local\Temp\30F5.exe
C:\Users\Admin\AppData\Local\Temp\5160.exe
C:\Users\Admin\AppData\Local\Temp\5160.exe
C:\Users\Admin\AppData\Local\Temp\5614.exe
C:\Users\Admin\AppData\Local\Temp\5614.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 476
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1a017708-c8b1-4b97-833e-806e13903d0d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Preferences.vsd & ping -n 5 localhost
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
C:\Users\Admin\AppData\Local\Temp\30F5.exe
"C:\Users\Admin\AppData\Local\Temp\30F5.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
C:\Users\Admin\AppData\Local\Temp\30F5.exe
"C:\Users\Admin\AppData\Local\Temp\30F5.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^zsXAL$" Simulation.vsd
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif
Bags.exe.pif f
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe
"C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build3.exe
"C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build3.exe"
C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe
"C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\2DB8.exe
C:\Users\Admin\AppData\Local\Temp\2DB8.exe
C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | furubujjul.net | udp |
| US | 104.21.93.30:80 | furubujjul.net | tcp |
| CH | 179.43.163.115:80 | 179.43.163.115 | tcp |
| AT | 45.138.74.230:80 | 45.138.74.230 | tcp |
| US | 13.89.179.10:443 | tcp | |
| US | 8.8.8.8:53 | pelegisr.com | udp |
| NL | 185.220.204.62:443 | pelegisr.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 104.21.93.30:80 | furubujjul.net | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | rgyui.top | udp |
| US | 8.8.8.8:53 | winnlinne.com | udp |
| KR | 1.248.122.240:80 | rgyui.top | tcp |
| SA | 31.166.171.219:80 | winnlinne.com | tcp |
| NL | 217.195.155.154:8081 | tcp | |
| US | 8.8.8.8:53 | get.geojs.io | udp |
| US | 172.67.70.233:443 | get.geojs.io | tcp |
| SA | 31.166.171.219:80 | winnlinne.com | tcp |
| BG | 87.119.100.220:80 | winnlinne.com | tcp |
| BG | 87.119.100.220:80 | winnlinne.com | tcp |
| US | 8.8.8.8:53 | GqaSrgKXZxBgAB.GqaSrgKXZxBgAB | udp |
| US | 8.8.8.8:53 | gayworld.at | udp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| DE | 195.201.251.151:80 | 195.201.251.151 | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | 220929175332293.kaj.zxd12.fun | udp |
| LV | 185.82.126.147:80 | 220929175332293.kaj.zxd12.fun | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| NL | 213.227.155.193:80 | 213.227.155.193 | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | disk.yandex.ru | udp |
| RU | 87.250.250.50:443 | disk.yandex.ru | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| KW | 37.34.248.24:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | hrabrlonian.xyz | udp |
| US | 45.66.249.65:81 | hrabrlonian.xyz | tcp |
Files
memory/2188-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-151-0x0000000000710000-0x0000000000719000-memory.dmp
memory/2188-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-153-0x0000000000400000-0x0000000000592000-memory.dmp
memory/2188-149-0x000000000080A000-0x000000000081A000-memory.dmp
memory/2188-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2188-156-0x000000000080A000-0x000000000081A000-memory.dmp
memory/2188-157-0x0000000000400000-0x0000000000592000-memory.dmp
memory/3464-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\22DA.exe
| MD5 | d237a974fc52390cc829629494cb79ec |
| SHA1 | 9846624a2766acea8ea9b1d1422c5cdb75fb86eb |
| SHA256 | 906a81a8d5b5b5ef72325ccd05217733fb68f41cb5168f4c1cb4e10cfac34c35 |
| SHA512 | 64dcc059025546c9a6f3e3a3790a521ce14819b26ccadb2a10d3d2d2c1cd6c1e9acdf6cc382436a06323442db765d1b62fba05afc60b2b2bd9d062419ee5e1e4 |
memory/3464-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\22DA.exe
| MD5 | d237a974fc52390cc829629494cb79ec |
| SHA1 | 9846624a2766acea8ea9b1d1422c5cdb75fb86eb |
| SHA256 | 906a81a8d5b5b5ef72325ccd05217733fb68f41cb5168f4c1cb4e10cfac34c35 |
| SHA512 | 64dcc059025546c9a6f3e3a3790a521ce14819b26ccadb2a10d3d2d2c1cd6c1e9acdf6cc382436a06323442db765d1b62fba05afc60b2b2bd9d062419ee5e1e4 |
memory/3464-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2212-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2897.exe
| MD5 | 52d4af6eab9e603ed974524ea0a7103c |
| SHA1 | 0bd5d7b73a649c17c40685fab934aeb13d734c82 |
| SHA256 | b7d5fb28fcb3168a491be679b71c79ad28e4dde619361671095c81c2b6c97970 |
| SHA512 | f9211e95ea9aec395e32165c82f2663924a2097e454cd7c8e3e8bc394073ec963be4ec7a5b6193368f403e502efa475b0a218565b8860d18d57f792290421e25 |
memory/2212-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2212-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2212-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2212-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2212-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-187-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-189-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-191-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-193-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-195-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2212-194-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2212-192-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2212-190-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2212-188-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3464-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4908-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\30F5.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
C:\Users\Admin\AppData\Local\Temp\30F5.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/3428-235-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\39DF.dll
| MD5 | 29c7e0ed33dcb03765ee907e37afb400 |
| SHA1 | 76e2db33cc97134c4ce96e625309503302226eda |
| SHA256 | 51214dad7dbee64c2c7113c124c6413690baa43a0429f851c1ac6b98f88dc820 |
| SHA512 | 58efcffe6c31275be39e435e54858f62bdb03aeb6d5b79977e86cf7d3e9a179f38c2f8fe19fcbce59b53bd7140cd1e23a90bed6e3f4944ec55c5f74bf5f35962 |
memory/4444-242-0x0000000000000000-mapping.dmp
memory/4360-293-0x0000000000000000-mapping.dmp
memory/4908-311-0x0000000002260000-0x00000000022F5000-memory.dmp
memory/4908-315-0x0000000002380000-0x000000000249B000-memory.dmp
\Users\Admin\AppData\Local\Temp\39DF.dll
| MD5 | 29c7e0ed33dcb03765ee907e37afb400 |
| SHA1 | 76e2db33cc97134c4ce96e625309503302226eda |
| SHA256 | 51214dad7dbee64c2c7113c124c6413690baa43a0429f851c1ac6b98f88dc820 |
| SHA512 | 58efcffe6c31275be39e435e54858f62bdb03aeb6d5b79977e86cf7d3e9a179f38c2f8fe19fcbce59b53bd7140cd1e23a90bed6e3f4944ec55c5f74bf5f35962 |
C:\Users\Admin\AppData\Local\Temp\30F5.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/4308-333-0x0000000000424141-mapping.dmp
memory/4568-357-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5160.exe
| MD5 | d9eadffecef1f38835c32eafd36b321a |
| SHA1 | 999bea193d0506183eea5c615f168578a40675ca |
| SHA256 | 74269c1673f35de90dac509a546f48e040d57eae64ef74c93039c1c765c6e5c3 |
| SHA512 | d13194c4296d85f258a8f625fd39f8d59ac0bb79f99fda725e17a0f41f26bad3554f6d5064f87d631198f25b43dd96fd5b7ae261491e5900bed003d3ca05ca51 |
C:\Users\Admin\AppData\Local\Temp\5160.exe
| MD5 | d9eadffecef1f38835c32eafd36b321a |
| SHA1 | 999bea193d0506183eea5c615f168578a40675ca |
| SHA256 | 74269c1673f35de90dac509a546f48e040d57eae64ef74c93039c1c765c6e5c3 |
| SHA512 | d13194c4296d85f258a8f625fd39f8d59ac0bb79f99fda725e17a0f41f26bad3554f6d5064f87d631198f25b43dd96fd5b7ae261491e5900bed003d3ca05ca51 |
memory/4572-383-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5614.exe
| MD5 | 536440ca09522d4d522db984a26504ac |
| SHA1 | 4c300f3847ea553f8be8daba1220d1340b7ed52a |
| SHA256 | 19d1f17afb4d7c5fe563183393068e05360b4e5f6076b479936476aae145dce1 |
| SHA512 | 940f15ca5b9836ee5b22ab6a6e84821c6714ca2226b14553c5d33dd7184280e340c9c4cf21f750b9af8af4ccbebfb545f1766bb5e6b54956f0d7a52676653c6e |
memory/1848-398-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5614.exe
| MD5 | 536440ca09522d4d522db984a26504ac |
| SHA1 | 4c300f3847ea553f8be8daba1220d1340b7ed52a |
| SHA256 | 19d1f17afb4d7c5fe563183393068e05360b4e5f6076b479936476aae145dce1 |
| SHA512 | 940f15ca5b9836ee5b22ab6a6e84821c6714ca2226b14553c5d33dd7184280e340c9c4cf21f750b9af8af4ccbebfb545f1766bb5e6b54956f0d7a52676653c6e |
memory/680-429-0x0000000000000000-mapping.dmp
memory/4444-424-0x0000000004CD0000-0x0000000004E0E000-memory.dmp
memory/4444-419-0x0000000004A50000-0x0000000004B90000-memory.dmp
memory/680-445-0x00000000008C0000-0x00000000008CC000-memory.dmp
memory/4308-469-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4568-504-0x000000000079A000-0x00000000007AB000-memory.dmp
memory/4568-508-0x00000000001D0000-0x00000000001D9000-memory.dmp
memory/4568-514-0x0000000000400000-0x0000000000593000-memory.dmp
memory/4572-535-0x000000000078A000-0x000000000079B000-memory.dmp
memory/4572-540-0x0000000000400000-0x0000000000593000-memory.dmp
memory/1848-552-0x0000000001200000-0x000000000126B000-memory.dmp
memory/1848-551-0x0000000001270000-0x00000000012E5000-memory.dmp
memory/4440-569-0x0000000000000000-mapping.dmp
memory/4568-573-0x000000000079A000-0x00000000007AB000-memory.dmp
memory/4568-574-0x0000000000400000-0x0000000000593000-memory.dmp
memory/1848-575-0x0000000001200000-0x000000000126B000-memory.dmp
memory/4444-578-0x0000000004CD0000-0x0000000004E0E000-memory.dmp
memory/3472-581-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Preferences.vsd
| MD5 | 23df91b58a61d477860ae3d23b098968 |
| SHA1 | b474e7cd93994fbbe780842e3cbebcd833981a34 |
| SHA256 | 7f50c3b8b4e5f2117c562a78e2a08c65a25c019e3341c649b2a44b7873ae190d |
| SHA512 | ea05e91b616ec2861ae2586fbd17120fd00e3b059c3200a7676a57146344bc54ff418902912ac2a184eb7e0ab1926b9a56774a10ba68166c030319a6974f4331 |
memory/4208-588-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\1a017708-c8b1-4b97-833e-806e13903d0d\30F5.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/4156-611-0x0000000000000000-mapping.dmp
memory/4308-614-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3548-625-0x0000000000000000-mapping.dmp
memory/4308-641-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4480-639-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\30F5.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/4572-662-0x000000000078A000-0x000000000079B000-memory.dmp
memory/4572-687-0x0000000000400000-0x0000000000593000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\30F5.exe
| MD5 | d8eaa6a4796ba5b2bb8ecaa2f9ce3999 |
| SHA1 | 0cf6a0cc77e2a73eeef82fc434368e9dbea9836d |
| SHA256 | 59dfb3311a97c0424430681e17f1b0e6c406894fe88aaa3676dee3fc88be69ac |
| SHA512 | 77e0b820d4099e0f35cfb2775140d17473475ba38a844e761b16da89b6ba8e2fbb6453cafd5b352c57916c8570f785020fe423716ddc19c58fd18a38553e79f4 |
memory/4712-698-0x0000000000424141-mapping.dmp
memory/4712-758-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2180-773-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 6f59ed058aa06aaf5ec6213b955aabd4 |
| SHA1 | baf7b828a563b8fb6111e4ce35e0055575ad80b4 |
| SHA256 | 2d82e2629fa2e08f28b43b15da43dff56c7f4b23b39d66109c7c61998e35b4d5 |
| SHA512 | 6b0f041dafb98b9eaf70ac0d20a98c56e1c42231c4a4ae6e11582b20d20bf8f96dfd7747739a10d77368994441adb0e181b356f8569697b1f22ab4fe931170ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 36022e7e67888d12bf66b53b3f1e553d |
| SHA1 | 4151748f8963f739a18c8111d8fdcaefd8edd12a |
| SHA256 | 338ffed1e8b864cb94453fe220d3b413e3deed1168e25425976e2b1be35ebd71 |
| SHA512 | d7be5b82447d9c153a918ef4c78421b34e8b75b9f0f83e6e668345e4bbe50d6380907c0641f6093422e9ac74d23c03ec771fcab944f00020ba0a4ca6106d4b92 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 0698dbc93ba7b6bef73ba316695f8317 |
| SHA1 | a444078ff1eb7c88f52cb4e324365926b491ed47 |
| SHA256 | 263292040d77903899257c1d21201dc64d6f8d6b5a1d945cd5b28d0124d7906c |
| SHA512 | ebacaa7009aebb88199cd70fd0bb3afe69ed300318cb633edd1c0404e42aef829617f589bcbad6cb7ab4bd0a8ae87f7df1435c786184ecc5de61c8fc6950a900 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | faa8ab30bb8ebb81680d64e2e03c5142 |
| SHA1 | 7310d488118901f77d5b06c847628d3aa9f92050 |
| SHA256 | 1e74702deacf22ac4d6b482748602d735d10711081fa9b57adb9af9786b9fc5c |
| SHA512 | ff89604c16d5ca914e1f67041b21d6beb2180e3f92912020dc6ffee6ed1cd57c35d31922ca0f15952b628a92f296b3709a1fbf433e765e1c4b987337defe2fb9 |
memory/1180-783-0x0000000000000000-mapping.dmp
memory/3464-811-0x0000000003280000-0x000000000379F000-memory.dmp
memory/3464-816-0x0000000000400000-0x00000000009A1000-memory.dmp
memory/4876-838-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Simulation.vsd
| MD5 | 75d2326d2d1bb6de24f3dda341482c13 |
| SHA1 | 38c9138a24824073eef171cf365ebb01a2c4937f |
| SHA256 | b6031d6424a4221830e29153fc7125dbd251b454539de76fee852a6875840431 |
| SHA512 | b3521bdc95c871ffb8f5866f2f9699ed8343715437e40f9da42a4740e1b279ddb6d4aa85229485baf8331bba5868c4299860031888c322e96b29ce6aa3761dc3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Euros.vsd
| MD5 | e0352752dddef97bad04fa25c81fe867 |
| SHA1 | 1c040b67598bbccdd510a49f842668935365fd71 |
| SHA256 | 97208cb34d8b0af9e7bf3b8400ddd249337a58c4be8a38f39e3874900a73d455 |
| SHA512 | 331ac25e2122779710fd0c4b3818df6ab3c1ea7df2d406953cfe39734dac32283f849a37766c0070fcd2dba82502c22b2e28867dcf64a9931cc5d8c14e4a1240 |
memory/4912-856-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif
| MD5 | 6987e4cd3f256462f422326a7ef115b9 |
| SHA1 | 71672a495b4603ecfec40a65254cb3ba8766bbe0 |
| SHA256 | 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0 |
| SHA512 | 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4 |
memory/1504-883-0x0000000000000000-mapping.dmp
memory/5096-908-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe
| MD5 | 5fd8c38657bb9393bb4736c880675223 |
| SHA1 | f3a03b2e75cef22262f6677e3832b6ad9327905c |
| SHA256 | 2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6 |
| SHA512 | 43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe |
C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe
| MD5 | 5fd8c38657bb9393bb4736c880675223 |
| SHA1 | f3a03b2e75cef22262f6677e3832b6ad9327905c |
| SHA256 | 2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6 |
| SHA512 | 43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe |
memory/3908-940-0x0000000000000000-mapping.dmp
memory/5084-971-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bags.exe.pif
| MD5 | 6987e4cd3f256462f422326a7ef115b9 |
| SHA1 | 71672a495b4603ecfec40a65254cb3ba8766bbe0 |
| SHA256 | 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0 |
| SHA512 | 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4 |
C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4712-1037-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5096-1039-0x00000000005B0000-0x000000000065E000-memory.dmp
memory/5096-1042-0x00000000021B0000-0x00000000021FF000-memory.dmp
memory/3976-1051-0x0000000000000000-mapping.dmp
memory/4768-1057-0x0000000000429CBD-mapping.dmp
C:\Users\Admin\AppData\Local\5ebfa070-6254-4d02-8b47-c52caa9efafa\build2.exe
| MD5 | 5fd8c38657bb9393bb4736c880675223 |
| SHA1 | f3a03b2e75cef22262f6677e3832b6ad9327905c |
| SHA256 | 2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6 |
| SHA512 | 43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe |
memory/3464-1107-0x0000000000400000-0x00000000009A1000-memory.dmp
memory/4768-1139-0x0000000000400000-0x0000000000463000-memory.dmp
memory/4368-1159-0x0000000000000000-mapping.dmp
memory/4552-1167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4184-1265-0x0000000000000000-mapping.dmp
memory/4548-1275-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/3652-1349-0x0000000000000000-mapping.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1404-1424-0x0000000000000000-mapping.dmp
memory/1040-1439-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2DB8.exe
| MD5 | ec352c8af98167cc5f7340f51f8cf87a |
| SHA1 | de5bd7ae08eabb4083498eb0f66f1c31799723e0 |
| SHA256 | 64c3c78be6938ffcc7dcb7ffafa4119a6ddb81a325b4fdeba3c55fa9b1d2241f |
| SHA512 | 994324568857c67323e08029cd6b6ad70470d17410d45ff5c9ab8c244cc29b726a79bb5d96d5e2e4f70f520d2df46044ecfeea441190bf3bba2352917d50753d |
C:\Users\Admin\AppData\Local\Temp\2DB8.exe
| MD5 | ec352c8af98167cc5f7340f51f8cf87a |
| SHA1 | de5bd7ae08eabb4083498eb0f66f1c31799723e0 |
| SHA256 | 64c3c78be6938ffcc7dcb7ffafa4119a6ddb81a325b4fdeba3c55fa9b1d2241f |
| SHA512 | 994324568857c67323e08029cd6b6ad70470d17410d45ff5c9ab8c244cc29b726a79bb5d96d5e2e4f70f520d2df46044ecfeea441190bf3bba2352917d50753d |
memory/4768-1464-0x0000000000400000-0x0000000000463000-memory.dmp
memory/3464-1465-0x0000000000400000-0x00000000009A1000-memory.dmp
memory/1040-1473-0x0000000002640000-0x0000000002902000-memory.dmp
memory/1040-1471-0x0000000002510000-0x0000000002635000-memory.dmp
memory/5060-1476-0x0000000000000000-mapping.dmp
memory/1040-1490-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/1040-1494-0x0000000002510000-0x0000000002635000-memory.dmp
memory/1040-1495-0x0000000002640000-0x0000000002902000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kprGKGWkWrUJt.dll
| MD5 | 50741b3f2d7debf5d2bed63d88404029 |
| SHA1 | 56210388a627b926162b36967045be06ffb1aad3 |
| SHA256 | f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c |
| SHA512 | fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3 |
memory/4352-1516-0x000000000052213A-mapping.dmp
memory/4352-1549-0x0000000000500000-0x0000000000528000-memory.dmp
memory/4352-1570-0x0000000005050000-0x0000000005656000-memory.dmp
memory/4352-1571-0x0000000004B90000-0x0000000004C9A000-memory.dmp
memory/4352-1573-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/4352-1575-0x0000000004B20000-0x0000000004B5E000-memory.dmp
memory/4352-1577-0x0000000004CA0000-0x0000000004CEB000-memory.dmp