Analysis Overview
SHA256
365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4
Threat Level: Known bad
The file 365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe was found to be: Known bad.
Malicious Activity Summary
Vidar
Djvu Ransomware
Detected Djvu ransomware
Danabot
SmokeLoader
Detects Smokeloader packer
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Reads user/profile data of web browsers
Modifies file permissions
Loads dropped DLL
Checks computer location settings
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Delays execution with timeout.exe
outlook_office_path
outlook_win_path
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-19 13:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-19 13:12
Reported
2022-10-19 13:15
Platform
win7-20220812-en
Max time kernel
151s
Max time network
44s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe
"C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 74.125.34.46:80 | tcp |
Files
memory/2020-54-0x0000000000628000-0x0000000000639000-memory.dmp
memory/2020-55-0x0000000075451000-0x0000000075453000-memory.dmp
memory/2020-57-0x00000000002B0000-0x00000000002B9000-memory.dmp
memory/2020-56-0x0000000000628000-0x0000000000639000-memory.dmp
memory/2020-58-0x0000000000400000-0x0000000000593000-memory.dmp
memory/2020-59-0x0000000000400000-0x0000000000593000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-19 13:12
Reported
2022-10-19 13:15
Platform
win10v2004-20220812-en
Max time kernel
153s
Max time network
157s
Command Line
Signatures
Danabot
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E7C5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F36F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\766.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\766.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\766.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\766.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5374.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\766.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\766.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6ff88e35-2542-413a-b860-00f8f5d08129\\766.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\766.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3136 set thread context of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\766.exe | C:\Users\Admin\AppData\Local\Temp\766.exe |
| PID 3120 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Local\Temp\766.exe | C:\Users\Admin\AppData\Local\Temp\766.exe |
| PID 1568 set thread context of 4392 | N/A | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\EA46.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\F36F.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5374.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E7C5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E7C5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E7C5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E7C5.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe
"C:\Users\Admin\AppData\Local\Temp\365904fa34452030915b29fcbf60978159e63a6240622ffd72b6d564a591bad4.exe"
C:\Users\Admin\AppData\Local\Temp\E7C5.exe
C:\Users\Admin\AppData\Local\Temp\E7C5.exe
C:\Users\Admin\AppData\Local\Temp\EA46.exe
C:\Users\Admin\AppData\Local\Temp\EA46.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4700 -ip 4700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 340
C:\Users\Admin\AppData\Local\Temp\F36F.exe
C:\Users\Admin\AppData\Local\Temp\F36F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1764 -ip 1764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 340
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F62F.dll
C:\Users\Admin\AppData\Local\Temp\766.exe
C:\Users\Admin\AppData\Local\Temp\766.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\766.exe
C:\Users\Admin\AppData\Local\Temp\766.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\F62F.dll
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6ff88e35-2542-413a-b860-00f8f5d08129" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\766.exe
"C:\Users\Admin\AppData\Local\Temp\766.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\766.exe
"C:\Users\Admin\AppData\Local\Temp\766.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5374.exe
C:\Users\Admin\AppData\Local\Temp\5374.exe
C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x2d8
C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe
"C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe"
C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build3.exe
"C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe
"C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" ˜ü{/c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe" & del C:\PrograData\*.dll & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4920 -ip 4920
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | furubujjul.net | udp |
| US | 172.67.203.213:80 | furubujjul.net | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.253.225.254:80 | tcp | |
| US | 8.253.225.254:80 | tcp | |
| US | 8.8.8.8:53 | pelegisr.com | udp |
| NL | 185.220.204.62:443 | pelegisr.com | tcp |
| RU | 185.174.137.174:80 | 185.174.137.174 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 172.67.203.213:80 | furubujjul.net | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | rgyui.top | udp |
| US | 8.8.8.8:53 | winnlinne.com | udp |
| KR | 175.126.109.15:80 | rgyui.top | tcp |
| UZ | 195.158.3.162:80 | winnlinne.com | tcp |
| US | 8.8.8.8:53 | gayworld.at | udp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| NL | 213.227.155.193:80 | 213.227.155.193 | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | disk.yandex.ru | udp |
| RU | 87.250.250.50:443 | disk.yandex.ru | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| UZ | 195.158.3.162:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| SA | 31.167.249.87:80 | gayworld.at | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.186.42:80 | 116.202.186.42 | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 20.42.72.131:443 | tcp | |
| NL | 192.236.233.188:443 | 192.236.233.188 | tcp |
Files
memory/2144-132-0x00000000007E2000-0x00000000007F2000-memory.dmp
memory/2144-133-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/2144-134-0x0000000000400000-0x0000000000593000-memory.dmp
memory/2144-135-0x0000000000400000-0x0000000000593000-memory.dmp
memory/5068-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E7C5.exe
| MD5 | b2e3468de0cca1d708122ace4cbb1efe |
| SHA1 | fb015f1fe50bd8ad8458a267ee3322a01ea8a721 |
| SHA256 | 6a883411f16df17993db73ab92b50ce5a454d3b5f4b510baa308f226aaf3a338 |
| SHA512 | 3fdf979c231345b9da989388019ef46a7aa52241a86624ebd8b9ccbdbe26a036e971f820a891b2dcae466763c70cefb2150c0b506d5befa58bb96103c19b5137 |
C:\Users\Admin\AppData\Local\Temp\E7C5.exe
| MD5 | b2e3468de0cca1d708122ace4cbb1efe |
| SHA1 | fb015f1fe50bd8ad8458a267ee3322a01ea8a721 |
| SHA256 | 6a883411f16df17993db73ab92b50ce5a454d3b5f4b510baa308f226aaf3a338 |
| SHA512 | 3fdf979c231345b9da989388019ef46a7aa52241a86624ebd8b9ccbdbe26a036e971f820a891b2dcae466763c70cefb2150c0b506d5befa58bb96103c19b5137 |
memory/4700-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EA46.exe
| MD5 | 22f91cf54daf8dde7270d770df505c10 |
| SHA1 | d7aac098c189cb176205670562d50e876aff2318 |
| SHA256 | febd3bc85cb8088a78be9f9cecaf03e4417452a79118129efd1073a24f0ac65e |
| SHA512 | 3bca71adc06d4eb11dc348854bbb74a38c6c94a46a00fa85ea47d847fe813a9681723b538e35de3434bedfe789d9c70a64f826426b82cdf7a81becca67a0783e |
C:\Users\Admin\AppData\Local\Temp\EA46.exe
| MD5 | 22f91cf54daf8dde7270d770df505c10 |
| SHA1 | d7aac098c189cb176205670562d50e876aff2318 |
| SHA256 | febd3bc85cb8088a78be9f9cecaf03e4417452a79118129efd1073a24f0ac65e |
| SHA512 | 3bca71adc06d4eb11dc348854bbb74a38c6c94a46a00fa85ea47d847fe813a9681723b538e35de3434bedfe789d9c70a64f826426b82cdf7a81becca67a0783e |
memory/5068-142-0x0000000000753000-0x0000000000764000-memory.dmp
memory/5068-143-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/5068-144-0x0000000000400000-0x0000000000597000-memory.dmp
memory/1764-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F36F.exe
| MD5 | f5ecf695ddeccaf4d4590bb6bf18063a |
| SHA1 | 066f2bf925229234bca3f7515f493024d1f4e34c |
| SHA256 | c9214456c95e741d32e6602ccfb7df4363c3e943449c7e614257fcd60877436e |
| SHA512 | dea7d7bd6a29849c6724894c3a2bf65dd1014e76a4d88faad7ae47d2d8c19455370773f9c386eed66a008ed9b14405b5ef17a1a937fbac12ac11fec9ecc32f76 |
C:\Users\Admin\AppData\Local\Temp\F36F.exe
| MD5 | f5ecf695ddeccaf4d4590bb6bf18063a |
| SHA1 | 066f2bf925229234bca3f7515f493024d1f4e34c |
| SHA256 | c9214456c95e741d32e6602ccfb7df4363c3e943449c7e614257fcd60877436e |
| SHA512 | dea7d7bd6a29849c6724894c3a2bf65dd1014e76a4d88faad7ae47d2d8c19455370773f9c386eed66a008ed9b14405b5ef17a1a937fbac12ac11fec9ecc32f76 |
memory/4700-148-0x0000000000813000-0x0000000000824000-memory.dmp
memory/4700-149-0x0000000000400000-0x0000000000597000-memory.dmp
memory/1764-150-0x0000000000853000-0x0000000000864000-memory.dmp
memory/1764-151-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/1764-152-0x0000000000400000-0x0000000000597000-memory.dmp
memory/5068-153-0x0000000000400000-0x0000000000597000-memory.dmp
memory/1780-154-0x0000000000000000-mapping.dmp
memory/3136-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\766.exe
| MD5 | dc38da1da1e88bac04121824d2abb81a |
| SHA1 | 101f00bcbba421c4f14a20a7da382acbfe900e52 |
| SHA256 | fd5c524cd0cb96875cb791dafbbd11d4ef5970fc988df77aabfdce9cb63f4e1a |
| SHA512 | cb0a18fabc9d065a328a85957efb4f52ce640d8f8c74cfb64d2e01c245f669b0440c0c2fca1d51ad3618ae72a578ce17726f1446b9aa79f1e2fe2e86d439381b |
C:\Users\Admin\AppData\Local\Temp\766.exe
| MD5 | dc38da1da1e88bac04121824d2abb81a |
| SHA1 | 101f00bcbba421c4f14a20a7da382acbfe900e52 |
| SHA256 | fd5c524cd0cb96875cb791dafbbd11d4ef5970fc988df77aabfdce9cb63f4e1a |
| SHA512 | cb0a18fabc9d065a328a85957efb4f52ce640d8f8c74cfb64d2e01c245f669b0440c0c2fca1d51ad3618ae72a578ce17726f1446b9aa79f1e2fe2e86d439381b |
memory/2436-158-0x0000000000000000-mapping.dmp
memory/216-159-0x0000000000000000-mapping.dmp
memory/216-160-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F62F.dll
| MD5 | 34988e2e5d74e24b4cd7746546cd8534 |
| SHA1 | 15bcfb5529aeae156a6f4c3b4d38e87fe806caba |
| SHA256 | ddb8f83a3c85c3c1fd6f670247b0707cef55102474c0e3f45ee02288e519f0a4 |
| SHA512 | 20e3db206aa1b44f2f8ed4cb9bb204f0beb59aee02ce755f46931fd089f8e1d49a0c4e1980f6fdfe373361a25ebdb7c5aa626807094d90fae77237c299763f25 |
C:\Users\Admin\AppData\Local\Temp\766.exe
| MD5 | dc38da1da1e88bac04121824d2abb81a |
| SHA1 | 101f00bcbba421c4f14a20a7da382acbfe900e52 |
| SHA256 | fd5c524cd0cb96875cb791dafbbd11d4ef5970fc988df77aabfdce9cb63f4e1a |
| SHA512 | cb0a18fabc9d065a328a85957efb4f52ce640d8f8c74cfb64d2e01c245f669b0440c0c2fca1d51ad3618ae72a578ce17726f1446b9aa79f1e2fe2e86d439381b |
memory/3136-167-0x00000000022F0000-0x000000000240B000-memory.dmp
memory/4340-166-0x0000000000000000-mapping.dmp
memory/2436-168-0x0000000001270000-0x00000000012E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F62F.dll
| MD5 | 34988e2e5d74e24b4cd7746546cd8534 |
| SHA1 | 15bcfb5529aeae156a6f4c3b4d38e87fe806caba |
| SHA256 | ddb8f83a3c85c3c1fd6f670247b0707cef55102474c0e3f45ee02288e519f0a4 |
| SHA512 | 20e3db206aa1b44f2f8ed4cb9bb204f0beb59aee02ce755f46931fd089f8e1d49a0c4e1980f6fdfe373361a25ebdb7c5aa626807094d90fae77237c299763f25 |
memory/216-165-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3136-164-0x0000000000812000-0x00000000008A4000-memory.dmp
memory/216-162-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3468-170-0x0000000000000000-mapping.dmp
memory/3468-172-0x00000000005B0000-0x00000000005BC000-memory.dmp
memory/3468-171-0x00000000005C0000-0x00000000005C7000-memory.dmp
memory/2436-173-0x0000000001200000-0x000000000126B000-memory.dmp
memory/216-174-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4340-175-0x00000000030C0000-0x00000000031BE000-memory.dmp
memory/4340-176-0x00000000032C0000-0x00000000033BE000-memory.dmp
memory/2436-177-0x0000000001200000-0x000000000126B000-memory.dmp
memory/4476-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\6ff88e35-2542-413a-b860-00f8f5d08129\766.exe
| MD5 | dc38da1da1e88bac04121824d2abb81a |
| SHA1 | 101f00bcbba421c4f14a20a7da382acbfe900e52 |
| SHA256 | fd5c524cd0cb96875cb791dafbbd11d4ef5970fc988df77aabfdce9cb63f4e1a |
| SHA512 | cb0a18fabc9d065a328a85957efb4f52ce640d8f8c74cfb64d2e01c245f669b0440c0c2fca1d51ad3618ae72a578ce17726f1446b9aa79f1e2fe2e86d439381b |
memory/3120-180-0x0000000000000000-mapping.dmp
memory/216-182-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\766.exe
| MD5 | dc38da1da1e88bac04121824d2abb81a |
| SHA1 | 101f00bcbba421c4f14a20a7da382acbfe900e52 |
| SHA256 | fd5c524cd0cb96875cb791dafbbd11d4ef5970fc988df77aabfdce9cb63f4e1a |
| SHA512 | cb0a18fabc9d065a328a85957efb4f52ce640d8f8c74cfb64d2e01c245f669b0440c0c2fca1d51ad3618ae72a578ce17726f1446b9aa79f1e2fe2e86d439381b |
memory/4340-183-0x00000000033C0000-0x0000000003482000-memory.dmp
memory/4340-184-0x0000000003490000-0x000000000353D000-memory.dmp
memory/1600-187-0x0000000000000000-mapping.dmp
memory/1600-191-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4340-192-0x00000000032C0000-0x00000000033BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\766.exe
| MD5 | dc38da1da1e88bac04121824d2abb81a |
| SHA1 | 101f00bcbba421c4f14a20a7da382acbfe900e52 |
| SHA256 | fd5c524cd0cb96875cb791dafbbd11d4ef5970fc988df77aabfdce9cb63f4e1a |
| SHA512 | cb0a18fabc9d065a328a85957efb4f52ce640d8f8c74cfb64d2e01c245f669b0440c0c2fca1d51ad3618ae72a578ce17726f1446b9aa79f1e2fe2e86d439381b |
memory/3120-189-0x000000000071F000-0x00000000007B1000-memory.dmp
memory/1600-193-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 97ab7ffd65186e85f453dc7c02637528 |
| SHA1 | f22312a6a44613be85c0370878456a965f869a40 |
| SHA256 | 630df8e970cc3b1ad508db713dd8be52e0ac7a5826f3f264a266232f9a1c23ee |
| SHA512 | 37d90c98e72ad55b2cbb938541c81bac1aa9d2b8a7e19f0fbfaa365b49e7bef2d3199f03e46aa9fbf3055f3701d21860820c451065f7e425d39bf86ca606bfb0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 0fbd6cbe9eadc9e552116822c2e8f4e9 |
| SHA1 | cdbfdb56e9755c1afada388ed792f9dfe23ea398 |
| SHA256 | be20a94be8dc7d32bc095e1dad7a13e8b37fb5faadaf648487caff70d20e326e |
| SHA512 | 4ea7e90b15e18793aa313db890582fe8696cefcc455d75b07f81ef95b56e8109d2c60c8848b05c178c9dac7cac389f7c068753e0173dfea33022ab97586ae83e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | fccf82bfb916f71c9a5a0670b7023bca |
| SHA1 | 636bf7366e670ced27552b28c3d8c0d24d644048 |
| SHA256 | c063e10a0715dc192decb084afe53dbf4a87f9907db467ecf3ebaffbe4e5bbdd |
| SHA512 | 1e2888579038ff8030bdffb81e5e01f5f98b62db1dfcd8b0fff2c28fed26670051b4cdab9a875f7632046d70380b7bef578efcf21cce1234425d266d559144ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 006c98bc42ac1d15f0ec70e3488783c5 |
| SHA1 | a8c8302826468c903b511e206d6d058e2c3acdaa |
| SHA256 | e24883740fbed2781e4df4e5387cd95c3345ec9944edeeb36babd2c10135fa00 |
| SHA512 | e0caea17f99a18483e0195c5311942c195ef42532f1868bfb5c64b3f6cb72cc0fc58414176a9bfc66452e11d17c2058eafb483a41890f502ec76dc3a6807f2f4 |
memory/1600-198-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4920-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5374.exe
| MD5 | f359c70889fc8b2efb5288515e843ca4 |
| SHA1 | 6829f47ab8270a56675623bc2fe551ebb2d1638a |
| SHA256 | 1f03484017e8cf844c619d5c3c5ae195cae0c8b8c5c8eddaa40ed20b56fa4c73 |
| SHA512 | b73394e5159eb5d4eb8d0b870dcfc2a93c63d1e436ae43da52dfe6006fde5c88a9879ddacd2486c3f53134ec0b0346e424d9eaad08594cf6886936b4e18543d6 |
C:\Users\Admin\AppData\Local\Temp\5374.exe
| MD5 | f359c70889fc8b2efb5288515e843ca4 |
| SHA1 | 6829f47ab8270a56675623bc2fe551ebb2d1638a |
| SHA256 | 1f03484017e8cf844c619d5c3c5ae195cae0c8b8c5c8eddaa40ed20b56fa4c73 |
| SHA512 | b73394e5159eb5d4eb8d0b870dcfc2a93c63d1e436ae43da52dfe6006fde5c88a9879ddacd2486c3f53134ec0b0346e424d9eaad08594cf6886936b4e18543d6 |
memory/944-202-0x0000000000000000-mapping.dmp
memory/4920-203-0x00000000007B0000-0x00000000008CE000-memory.dmp
memory/4920-204-0x0000000002430000-0x00000000026F2000-memory.dmp
memory/4920-205-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/1600-206-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1568-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe
| MD5 | 5fd8c38657bb9393bb4736c880675223 |
| SHA1 | f3a03b2e75cef22262f6677e3832b6ad9327905c |
| SHA256 | 2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6 |
| SHA512 | 43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe |
memory/2968-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe
| MD5 | 5fd8c38657bb9393bb4736c880675223 |
| SHA1 | f3a03b2e75cef22262f6677e3832b6ad9327905c |
| SHA256 | 2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6 |
| SHA512 | 43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe |
memory/3640-213-0x0000000000000000-mapping.dmp
memory/4392-214-0x0000000000000000-mapping.dmp
memory/4392-215-0x0000000000400000-0x0000000000463000-memory.dmp
C:\Users\Admin\AppData\Local\88786653-0462-4ee7-a6e1-1ed7fa4082b6\build2.exe
| MD5 | 5fd8c38657bb9393bb4736c880675223 |
| SHA1 | f3a03b2e75cef22262f6677e3832b6ad9327905c |
| SHA256 | 2a5101345def285c8f52ad39f00261ba9e0375d3de73206d0b8c72ce3b6259c6 |
| SHA512 | 43c82f6db716792a770a3573a9d20cb69a2421ccc2bb875e57f4270d92c9289ee684deda19e3232c50f4675aaf86de173f73376a00f927a8d9847f60b8b732fe |
memory/1568-219-0x0000000000740000-0x000000000078F000-memory.dmp
memory/1568-217-0x00000000007FD000-0x0000000000829000-memory.dmp
memory/4392-220-0x0000000000400000-0x0000000000463000-memory.dmp
memory/4392-221-0x0000000000400000-0x0000000000463000-memory.dmp
memory/4392-222-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4392-242-0x0000000000400000-0x0000000000463000-memory.dmp
memory/4884-243-0x0000000000000000-mapping.dmp
memory/2172-244-0x0000000000000000-mapping.dmp
memory/4392-245-0x0000000000400000-0x0000000000463000-memory.dmp
memory/4996-246-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/2156-249-0x0000000000000000-mapping.dmp
memory/4920-250-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/4920-251-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/4920-252-0x0000000000400000-0x00000000006CE000-memory.dmp
memory/4084-253-0x0000000000000000-mapping.dmp
memory/4084-254-0x0000000001040000-0x0000000001043000-memory.dmp
memory/4084-255-0x0000000001050000-0x0000000001053000-memory.dmp
memory/4084-256-0x0000000001060000-0x0000000001063000-memory.dmp
memory/4084-257-0x0000000001070000-0x0000000001073000-memory.dmp
memory/4084-258-0x0000000001080000-0x0000000001083000-memory.dmp
memory/4084-259-0x0000000001090000-0x0000000001093000-memory.dmp
memory/4084-260-0x00000000010A0000-0x00000000010A3000-memory.dmp
memory/4084-261-0x00000000010B0000-0x00000000010B3000-memory.dmp
memory/4084-262-0x00000000010C0000-0x00000000010C3000-memory.dmp
memory/4084-264-0x00000000010E0000-0x00000000010E3000-memory.dmp
memory/4084-263-0x00000000010D0000-0x00000000010D3000-memory.dmp
memory/4084-265-0x00000000010E0000-0x00000000010E3000-memory.dmp