Analysis Overview
SHA256
1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54
Threat Level: Known bad
The file 1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Vidar
Danabot
SmokeLoader
Detects Smokeloader packer
Executes dropped EXE
Downloads MZ/PE file
Blocklisted process makes network request
Modifies file permissions
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Checks installed software on the system
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Kills process with taskkill
Delays execution with timeout.exe
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-19 09:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-19 09:02
Reported
2022-10-19 09:05
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Danabot
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E36F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E36F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E36F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E36F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37CA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3A1D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C43E.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E36F.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E36F.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cf5c8859-e0f1-4ae5-bd69-576e8946af72\\E36F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\E36F.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2012 set thread context of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\E36F.exe | C:\Users\Admin\AppData\Local\Temp\E36F.exe |
| PID 460 set thread context of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\E36F.exe | C:\Users\Admin\AppData\Local\Temp\E36F.exe |
| PID 2232 set thread context of 640 | N/A | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3A1D.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\C43E.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\37CA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\37CA.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\37CA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37CA.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54.exe
"C:\Users\Admin\AppData\Local\Temp\1fcbc6292fbaee398547ec106c01eadded2933f2d30e97522ecf8027cfafde54.exe"
C:\Users\Admin\AppData\Local\Temp\E36F.exe
C:\Users\Admin\AppData\Local\Temp\E36F.exe
C:\Users\Admin\AppData\Local\Temp\E36F.exe
C:\Users\Admin\AppData\Local\Temp\E36F.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\cf5c8859-e0f1-4ae5-bd69-576e8946af72" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\E36F.exe
"C:\Users\Admin\AppData\Local\Temp\E36F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\E36F.exe
"C:\Users\Admin\AppData\Local\Temp\E36F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe
"C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe"
C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe
"C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe"
C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build3.exe
"C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\37CA.exe
C:\Users\Admin\AppData\Local\Temp\37CA.exe
C:\Users\Admin\AppData\Local\Temp\3A1D.exe
C:\Users\Admin\AppData\Local\Temp\3A1D.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" 116.202.186.42/c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe" & del C:\PrograData\*.dll & exit
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3C9E.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3C9E.dll
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 340
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\C43E.exe
C:\Users\Admin\AppData\Local\Temp\C43E.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x410 0x418
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3536 -ip 3536
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 476
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | furubujjul.net | udp |
| US | 172.67.203.213:80 | furubujjul.net | tcp |
| US | 8.8.8.8:53 | pelegisr.com | udp |
| NL | 185.220.204.62:443 | pelegisr.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 104.80.225.205:443 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | rgyui.top | udp |
| US | 8.8.8.8:53 | winnlinne.com | udp |
| IQ | 185.95.186.58:80 | rgyui.top | tcp |
| KR | 175.126.109.15:80 | winnlinne.com | tcp |
| KR | 175.126.109.15:80 | winnlinne.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.186.42:80 | 116.202.186.42 | tcp |
| US | 52.182.143.208:443 | tcp | |
| RU | 185.174.137.174:80 | 185.174.137.174 | tcp |
| US | 172.67.203.213:80 | furubujjul.net | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | gayworld.at | udp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| NL | 213.227.155.193:80 | 213.227.155.193 | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | disk.yandex.ru | udp |
| RU | 87.250.250.50:443 | disk.yandex.ru | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| KR | 222.236.49.124:80 | gayworld.at | tcp |
| NL | 192.236.233.188:443 | tcp |
Files
memory/4740-132-0x0000000000852000-0x0000000000862000-memory.dmp
memory/4740-133-0x0000000000800000-0x0000000000809000-memory.dmp
memory/4740-134-0x0000000000400000-0x0000000000597000-memory.dmp
memory/4740-135-0x0000000000400000-0x0000000000597000-memory.dmp
memory/2012-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E36F.exe
| MD5 | 742fda7bfe69e131aa3d3eefdf8c1331 |
| SHA1 | cf9ba02eb8d2f0ce7ed0de673d400cac1d6e58e5 |
| SHA256 | 50b28d1991ce1176d2f27a7181a7c42a72fee62ea3b08815984d3c9ab13aafc3 |
| SHA512 | c68421172fc131d71c26086456502dd7db80e02487407ed686c12f86c9a3574fc620aca019bd17fe744fac911ffebbc92027868f00ef2fa7ce6db7ecb3cf967a |
C:\Users\Admin\AppData\Local\Temp\E36F.exe
| MD5 | 742fda7bfe69e131aa3d3eefdf8c1331 |
| SHA1 | cf9ba02eb8d2f0ce7ed0de673d400cac1d6e58e5 |
| SHA256 | 50b28d1991ce1176d2f27a7181a7c42a72fee62ea3b08815984d3c9ab13aafc3 |
| SHA512 | c68421172fc131d71c26086456502dd7db80e02487407ed686c12f86c9a3574fc620aca019bd17fe744fac911ffebbc92027868f00ef2fa7ce6db7ecb3cf967a |
memory/2264-139-0x0000000000000000-mapping.dmp
memory/2264-140-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2264-142-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E36F.exe
| MD5 | 742fda7bfe69e131aa3d3eefdf8c1331 |
| SHA1 | cf9ba02eb8d2f0ce7ed0de673d400cac1d6e58e5 |
| SHA256 | 50b28d1991ce1176d2f27a7181a7c42a72fee62ea3b08815984d3c9ab13aafc3 |
| SHA512 | c68421172fc131d71c26086456502dd7db80e02487407ed686c12f86c9a3574fc620aca019bd17fe744fac911ffebbc92027868f00ef2fa7ce6db7ecb3cf967a |
memory/2012-143-0x000000000214E000-0x00000000021DF000-memory.dmp
memory/2264-144-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2012-145-0x00000000021E0000-0x00000000022FB000-memory.dmp
memory/2264-146-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3776-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\cf5c8859-e0f1-4ae5-bd69-576e8946af72\E36F.exe
| MD5 | 742fda7bfe69e131aa3d3eefdf8c1331 |
| SHA1 | cf9ba02eb8d2f0ce7ed0de673d400cac1d6e58e5 |
| SHA256 | 50b28d1991ce1176d2f27a7181a7c42a72fee62ea3b08815984d3c9ab13aafc3 |
| SHA512 | c68421172fc131d71c26086456502dd7db80e02487407ed686c12f86c9a3574fc620aca019bd17fe744fac911ffebbc92027868f00ef2fa7ce6db7ecb3cf967a |
memory/460-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E36F.exe
| MD5 | 742fda7bfe69e131aa3d3eefdf8c1331 |
| SHA1 | cf9ba02eb8d2f0ce7ed0de673d400cac1d6e58e5 |
| SHA256 | 50b28d1991ce1176d2f27a7181a7c42a72fee62ea3b08815984d3c9ab13aafc3 |
| SHA512 | c68421172fc131d71c26086456502dd7db80e02487407ed686c12f86c9a3574fc620aca019bd17fe744fac911ffebbc92027868f00ef2fa7ce6db7ecb3cf967a |
memory/2264-151-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2368-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E36F.exe
| MD5 | 742fda7bfe69e131aa3d3eefdf8c1331 |
| SHA1 | cf9ba02eb8d2f0ce7ed0de673d400cac1d6e58e5 |
| SHA256 | 50b28d1991ce1176d2f27a7181a7c42a72fee62ea3b08815984d3c9ab13aafc3 |
| SHA512 | c68421172fc131d71c26086456502dd7db80e02487407ed686c12f86c9a3574fc620aca019bd17fe744fac911ffebbc92027868f00ef2fa7ce6db7ecb3cf967a |
memory/460-156-0x0000000001FF9000-0x000000000208A000-memory.dmp
memory/2368-155-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2368-157-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 97ab7ffd65186e85f453dc7c02637528 |
| SHA1 | f22312a6a44613be85c0370878456a965f869a40 |
| SHA256 | 630df8e970cc3b1ad508db713dd8be52e0ac7a5826f3f264a266232f9a1c23ee |
| SHA512 | 37d90c98e72ad55b2cbb938541c81bac1aa9d2b8a7e19f0fbfaa365b49e7bef2d3199f03e46aa9fbf3055f3701d21860820c451065f7e425d39bf86ca606bfb0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 534025a2aa00deb9ac3404828054b95a |
| SHA1 | 7f1af88bfcdfab4dccc41ae34fe3ca64910817f5 |
| SHA256 | 958907ec2b291c208d24bdd4431abb7d2623bfa1d82304cabdb71272c3d1a15a |
| SHA512 | 3d8f922239f4e69fc73eac4bde6f1e30a2d38b70335670064989946c8bfe188143f1ffb6b6f1c55124e0c8bfd146fe66216daf1cffe730c93fc14cefee690f49 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 006c98bc42ac1d15f0ec70e3488783c5 |
| SHA1 | a8c8302826468c903b511e206d6d058e2c3acdaa |
| SHA256 | e24883740fbed2781e4df4e5387cd95c3345ec9944edeeb36babd2c10135fa00 |
| SHA512 | e0caea17f99a18483e0195c5311942c195ef42532f1868bfb5c64b3f6cb72cc0fc58414176a9bfc66452e11d17c2058eafb483a41890f502ec76dc3a6807f2f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 7032159c7f71e73048a3011cedfbb56c |
| SHA1 | c9c31c1c7dcddd694796f6738ee36b61573cf0cc |
| SHA256 | 67c8d8d936c3f5b7a28deb514493e23d034160ad0d084b1cdf9e372ddb13829a |
| SHA512 | 10b069acb907db6370d5ca435a362ba58b9e853c6c168d9211fc34d3dd187849204d46183a6cfbcdabe63bbdd0a6e550d5896b3d8c05640abb60a4d6bd21c1ef |
memory/2368-162-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2232-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe
| MD5 | 5fd8c38657bb9393bb4736c880675223 |
| SHA1 | f3a03b2e75cef22262f6677e3832b6ad9327905c |
| SHA256 | 2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6 |
| SHA512 | 43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe |
C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe
| MD5 | 5fd8c38657bb9393bb4736c880675223 |
| SHA1 | f3a03b2e75cef22262f6677e3832b6ad9327905c |
| SHA256 | 2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6 |
| SHA512 | 43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe |
memory/640-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build2.exe
| MD5 | 5fd8c38657bb9393bb4736c880675223 |
| SHA1 | f3a03b2e75cef22262f6677e3832b6ad9327905c |
| SHA256 | 2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6 |
| SHA512 | 43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe |
memory/2232-171-0x000000000090D000-0x0000000000939000-memory.dmp
memory/2232-172-0x00000000021A0000-0x00000000021EF000-memory.dmp
memory/640-170-0x0000000000400000-0x0000000000463000-memory.dmp
memory/640-173-0x0000000000400000-0x0000000000463000-memory.dmp
memory/640-167-0x0000000000400000-0x0000000000463000-memory.dmp
memory/640-174-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1380-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\fd750e71-fa5e-46e1-bc36-011a19ac8891\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/2368-197-0x0000000000400000-0x0000000000537000-memory.dmp
memory/748-198-0x0000000000000000-mapping.dmp
memory/640-199-0x0000000000400000-0x0000000000463000-memory.dmp
memory/4284-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\37CA.exe
| MD5 | 22f91cf54daf8dde7270d770df505c10 |
| SHA1 | d7aac098c189cb176205670562d50e876aff2318 |
| SHA256 | febd3bc85cb8088a78be9f9cecaf03e4417452a79118129efd1073a24f0ac65e |
| SHA512 | 3bca71adc06d4eb11dc348854bbb74a38c6c94a46a00fa85ea47d847fe813a9681723b538e35de3434bedfe789d9c70a64f826426b82cdf7a81becca67a0783e |
C:\Users\Admin\AppData\Local\Temp\37CA.exe
| MD5 | 22f91cf54daf8dde7270d770df505c10 |
| SHA1 | d7aac098c189cb176205670562d50e876aff2318 |
| SHA256 | febd3bc85cb8088a78be9f9cecaf03e4417452a79118129efd1073a24f0ac65e |
| SHA512 | 3bca71adc06d4eb11dc348854bbb74a38c6c94a46a00fa85ea47d847fe813a9681723b538e35de3434bedfe789d9c70a64f826426b82cdf7a81becca67a0783e |
memory/3064-203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3A1D.exe
| MD5 | 32c43c0ca5f599d366e0bee1a33abf33 |
| SHA1 | 5ca685f9dc6d529f4e9f46e1d4cb7f2506580290 |
| SHA256 | f176403f18c2a03fb4918b7369f586767e89fea91d458043e8fbc01938e0beca |
| SHA512 | 3d37175917bd53d671953a01525718b6f4e3a4a0f9437aa4d18c2a4e44e82e0948da9c0d59da52e8794bb129d34927951f758afbbb3c56de8d960baf5d834f3b |
C:\Users\Admin\AppData\Local\Temp\3A1D.exe
| MD5 | 32c43c0ca5f599d366e0bee1a33abf33 |
| SHA1 | 5ca685f9dc6d529f4e9f46e1d4cb7f2506580290 |
| SHA256 | f176403f18c2a03fb4918b7369f586767e89fea91d458043e8fbc01938e0beca |
| SHA512 | 3d37175917bd53d671953a01525718b6f4e3a4a0f9437aa4d18c2a4e44e82e0948da9c0d59da52e8794bb129d34927951f758afbbb3c56de8d960baf5d834f3b |
memory/3400-206-0x0000000000000000-mapping.dmp
memory/4624-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3C9E.dll
| MD5 | 34988e2e5d74e24b4cd7746546cd8534 |
| SHA1 | 15bcfb5529aeae156a6f4c3b4d38e87fe806caba |
| SHA256 | ddb8f83a3c85c3c1fd6f670247b0707cef55102474c0e3f45ee02288e519f0a4 |
| SHA512 | 20e3db206aa1b44f2f8ed4cb9bb204f0beb59aee02ce755f46931fd089f8e1d49a0c4e1980f6fdfe373361a25ebdb7c5aa626807094d90fae77237c299763f25 |
memory/1152-210-0x0000000000000000-mapping.dmp
memory/4792-211-0x0000000000000000-mapping.dmp
memory/4780-209-0x0000000000000000-mapping.dmp
memory/640-212-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1152-215-0x00000000024A0000-0x0000000002698000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3C9E.dll
| MD5 | 34988e2e5d74e24b4cd7746546cd8534 |
| SHA1 | 15bcfb5529aeae156a6f4c3b4d38e87fe806caba |
| SHA256 | ddb8f83a3c85c3c1fd6f670247b0707cef55102474c0e3f45ee02288e519f0a4 |
| SHA512 | 20e3db206aa1b44f2f8ed4cb9bb204f0beb59aee02ce755f46931fd089f8e1d49a0c4e1980f6fdfe373361a25ebdb7c5aa626807094d90fae77237c299763f25 |
C:\Users\Admin\AppData\Local\Temp\3C9E.dll
| MD5 | 34988e2e5d74e24b4cd7746546cd8534 |
| SHA1 | 15bcfb5529aeae156a6f4c3b4d38e87fe806caba |
| SHA256 | ddb8f83a3c85c3c1fd6f670247b0707cef55102474c0e3f45ee02288e519f0a4 |
| SHA512 | 20e3db206aa1b44f2f8ed4cb9bb204f0beb59aee02ce755f46931fd089f8e1d49a0c4e1980f6fdfe373361a25ebdb7c5aa626807094d90fae77237c299763f25 |
memory/4792-216-0x0000000001000000-0x0000000001075000-memory.dmp
memory/4284-217-0x00000000005D3000-0x00000000005E4000-memory.dmp
memory/4284-218-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/4284-219-0x0000000000400000-0x0000000000597000-memory.dmp
memory/4792-220-0x00000000008A0000-0x000000000090B000-memory.dmp
memory/3064-222-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/3064-221-0x0000000000603000-0x0000000000613000-memory.dmp
memory/3064-223-0x0000000000400000-0x0000000000596000-memory.dmp
memory/4712-224-0x0000000000000000-mapping.dmp
memory/4056-225-0x0000000000000000-mapping.dmp
memory/4712-226-0x0000000000B20000-0x0000000000B2C000-memory.dmp
memory/4792-227-0x00000000008A0000-0x000000000090B000-memory.dmp
memory/1152-228-0x0000000002D10000-0x0000000002E0E000-memory.dmp
memory/1152-229-0x0000000002F10000-0x000000000300E000-memory.dmp
memory/4284-230-0x0000000000400000-0x0000000000597000-memory.dmp
memory/1152-231-0x0000000003020000-0x00000000030E2000-memory.dmp
memory/1152-232-0x0000000003100000-0x00000000031AD000-memory.dmp
memory/1152-235-0x0000000002F10000-0x000000000300E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/2672-238-0x0000000000000000-mapping.dmp
memory/3536-239-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C43E.exe
| MD5 | 0515bc52bd4de737f6136a7ffc2b1683 |
| SHA1 | adfbaa26d815ab3e0563400ea07c604a7e43fdaf |
| SHA256 | b87a01fda95c876474db498f08713b136d7b1239b28216014e53bb42fc6204c5 |
| SHA512 | 2f098f9189f3ef393779a80acf4a99c64576f0a9d128c02d046fbb4cc4db63b3af370bf769b87faea836432443ea187d0d4e91417b9bc99eb0601e090fa0bf0e |
C:\Users\Admin\AppData\Local\Temp\C43E.exe
| MD5 | 0515bc52bd4de737f6136a7ffc2b1683 |
| SHA1 | adfbaa26d815ab3e0563400ea07c604a7e43fdaf |
| SHA256 | b87a01fda95c876474db498f08713b136d7b1239b28216014e53bb42fc6204c5 |
| SHA512 | 2f098f9189f3ef393779a80acf4a99c64576f0a9d128c02d046fbb4cc4db63b3af370bf769b87faea836432443ea187d0d4e91417b9bc99eb0601e090fa0bf0e |
memory/4552-242-0x0000000000000000-mapping.dmp
memory/3536-243-0x0000000000A3E000-0x0000000000B5C000-memory.dmp
memory/3536-245-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/3536-244-0x0000000002500000-0x00000000027C2000-memory.dmp
memory/3536-246-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/3536-247-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/3536-248-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/4504-249-0x0000000000000000-mapping.dmp