Analysis Overview
SHA256
392590926787c60698fb55e152b0d66d575e466d9a5c1a246faeb4d495ccae35
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
RedLine payload
SmokeLoader
RedLine
Detected Djvu ransomware
Detects Smokeloader packer
Djvu Ransomware
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Modifies file permissions
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
outlook_win_path
Checks SCSI registry key(s)
outlook_office_path
Creates scheduled task(s)
Delays execution with timeout.exe
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:06
Reported
2022-10-31 22:09
Platform
win7-20220812-en
Max time kernel
151s
Max time network
43s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
Files
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp
memory/1504-55-0x000000000026B000-0x000000000027C000-memory.dmp
memory/1504-56-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/1504-57-0x0000000000400000-0x0000000000598000-memory.dmp
memory/1504-58-0x0000000000400000-0x0000000000598000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-31 22:06
Reported
2022-10-31 22:09
Platform
win10v2004-20220901-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5517.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5517.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E12E.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fb26b508-42c6-462e-8bfb-e5aeaa6de5a1\\5517.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5517.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3556 set thread context of 4808 | N/A | C:\Users\Admin\AppData\Local\Temp\592F.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 3644 set thread context of 3336 | N/A | C:\Users\Admin\AppData\Local\Temp\5517.exe | C:\Users\Admin\AppData\Local\Temp\5517.exe |
| PID 3580 set thread context of 3188 | N/A | C:\Users\Admin\AppData\Local\Temp\5517.exe | C:\Users\Admin\AppData\Local\Temp\5517.exe |
| PID 4224 set thread context of 4928 | N/A | C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe | C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5C0E.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5C0E.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5C0E.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5C0E.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\53FD.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5350.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\5350.dll
C:\Users\Admin\AppData\Local\Temp\53FD.exe
C:\Users\Admin\AppData\Local\Temp\53FD.exe
C:\Users\Admin\AppData\Local\Temp\5517.exe
C:\Users\Admin\AppData\Local\Temp\5517.exe
C:\Users\Admin\AppData\Local\Temp\592F.exe
C:\Users\Admin\AppData\Local\Temp\592F.exe
C:\Users\Admin\AppData\Local\Temp\5C0E.exe
C:\Users\Admin\AppData\Local\Temp\5C0E.exe
C:\Users\Admin\AppData\Local\Temp\5FB9.exe
C:\Users\Admin\AppData\Local\Temp\5FB9.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\5517.exe
C:\Users\Admin\AppData\Local\Temp\5517.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4688 -ip 4688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 340
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\fb26b508-42c6-462e-8bfb-e5aeaa6de5a1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5517.exe
"C:\Users\Admin\AppData\Local\Temp\5517.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5517.exe
"C:\Users\Admin\AppData\Local\Temp\5517.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe
"C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe"
C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe
"C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe"
C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build3.exe
"C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3976 -ip 3976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1612
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\E12E.exe
C:\Users\Admin\AppData\Local\Temp\E12E.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1104
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1192
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1132
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 984
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1052
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1076
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1132
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1116
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1028 -ip 1028
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1008
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 984
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 988
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1160
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2328 -ip 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1140
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 996
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 620 -ip 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1100
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3508 -ip 3508
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1124
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1128
C:\Users\Admin\AppData\Local\Temp\E12E.exe
"C:\Users\Admin\AppData\Local\Temp\E12E.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2960 -ip 2960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2960 -ip 2960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2960 -ip 2960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2960 -ip 2960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1112
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | furubujjul.net | udp |
| DE | 91.195.240.101:80 | furubujjul.net | tcp |
| US | 8.8.8.8:53 | starvestitibo.org | udp |
| RU | 193.106.191.15:80 | starvestitibo.org | tcp |
| US | 8.8.8.8:53 | shingroup.com | udp |
| NL | 185.220.204.64:443 | shingroup.com | tcp |
| US | 20.189.173.15:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 193.106.191.15:80 | starvestitibo.org | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| DE | 167.235.252.160:10642 | tcp | |
| RU | 78.153.144.3:2510 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | uaery.top | udp |
| HU | 37.234.251.221:80 | uaery.top | tcp |
| US | 8.8.8.8:53 | fresherlights.com | udp |
| KR | 211.119.84.112:80 | fresherlights.com | tcp |
| KR | 211.119.84.112:80 | fresherlights.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FI | 95.217.246.41:80 | 95.217.246.41 | tcp |
| US | 8.8.8.8:53 | freeshmex.at | udp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| CZ | 146.19.173.31:80 | 146.19.173.31 | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| US | 8.8.8.8:53 | disk.yandex.ru | udp |
| RU | 87.250.250.50:443 | disk.yandex.ru | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| MY | 103.187.26.147:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| MY | 103.187.26.147:443 | tcp | |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| MY | 103.187.26.147:443 | tcp | |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| KW | 37.34.248.24:80 | freeshmex.at | tcp |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| MY | 103.187.26.147:443 | tcp |
Files
memory/3704-132-0x000000000085D000-0x000000000086E000-memory.dmp
memory/3704-133-0x00000000006E0000-0x00000000006E9000-memory.dmp
memory/3704-134-0x0000000000400000-0x0000000000598000-memory.dmp
memory/3704-135-0x0000000000400000-0x0000000000598000-memory.dmp
memory/224-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5350.dll
| MD5 | 502e7330e6e1d55c1c65d496e9599d44 |
| SHA1 | 00dbfa3c506ee2cce26882107fa262da8a83d392 |
| SHA256 | e485f007bfade595ea3b13742c1bf0da4f074edaaa65d8cf807796a18317b4f6 |
| SHA512 | bc7cf54cc991245980b127e1b643e9e28fb6377b26ffa6767736f50a02ef41e87ea744429e1f4c1a8ebad018f009ec7ab29d2c62cc469b460193b789c5ec87b7 |
memory/3976-138-0x0000000000000000-mapping.dmp
memory/340-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\53FD.exe
| MD5 | ae963f8d171481ec27f2a013b76026aa |
| SHA1 | 0f01cba183d6f76c899e5c72006edccb8dd933eb |
| SHA256 | 173d9fb69de0939d3266706ce44baf55669abdf1ca35b91236d84e1f4306f844 |
| SHA512 | 27419c8081df94cb91ad03fd5d6789df5fbf1d6d6c2e1367b48155bef7447663b9234ed92da435d73d68488553fbf8587d1413be0c8c62268b33cef8cdb5c6df |
C:\Users\Admin\AppData\Local\Temp\53FD.exe
| MD5 | ae963f8d171481ec27f2a013b76026aa |
| SHA1 | 0f01cba183d6f76c899e5c72006edccb8dd933eb |
| SHA256 | 173d9fb69de0939d3266706ce44baf55669abdf1ca35b91236d84e1f4306f844 |
| SHA512 | 27419c8081df94cb91ad03fd5d6789df5fbf1d6d6c2e1367b48155bef7447663b9234ed92da435d73d68488553fbf8587d1413be0c8c62268b33cef8cdb5c6df |
memory/3644-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5517.exe
| MD5 | bf35957e6b72a97dac143ff5ecb71e0b |
| SHA1 | d168ee93fcd4ce2205988b8e155ed1b5df26299b |
| SHA256 | 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b |
| SHA512 | e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f |
C:\Users\Admin\AppData\Local\Temp\5517.exe
| MD5 | bf35957e6b72a97dac143ff5ecb71e0b |
| SHA1 | d168ee93fcd4ce2205988b8e155ed1b5df26299b |
| SHA256 | 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b |
| SHA512 | e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f |
C:\Users\Admin\AppData\Local\Temp\5350.dll
| MD5 | 502e7330e6e1d55c1c65d496e9599d44 |
| SHA1 | 00dbfa3c506ee2cce26882107fa262da8a83d392 |
| SHA256 | e485f007bfade595ea3b13742c1bf0da4f074edaaa65d8cf807796a18317b4f6 |
| SHA512 | bc7cf54cc991245980b127e1b643e9e28fb6377b26ffa6767736f50a02ef41e87ea744429e1f4c1a8ebad018f009ec7ab29d2c62cc469b460193b789c5ec87b7 |
C:\Users\Admin\AppData\Local\Temp\592F.exe
| MD5 | 7073e236f88852d96342eaf93c2c6ae8 |
| SHA1 | 03bf4c34b994c6276c61fd3cc4813e8030b8ec69 |
| SHA256 | f1923024464e9c4629ce3606dfbc4dc64f60b66625e428807fcde56cb06e5e29 |
| SHA512 | 966502891050edc46312566bb8664afd1e1b3f10a5306a531b8b9491df3a0d188fd96bc90f333d1b814a3fe3af5773c5ffa10515793090b2f4555fe326ddeaf7 |
memory/3556-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\592F.exe
| MD5 | 7073e236f88852d96342eaf93c2c6ae8 |
| SHA1 | 03bf4c34b994c6276c61fd3cc4813e8030b8ec69 |
| SHA256 | f1923024464e9c4629ce3606dfbc4dc64f60b66625e428807fcde56cb06e5e29 |
| SHA512 | 966502891050edc46312566bb8664afd1e1b3f10a5306a531b8b9491df3a0d188fd96bc90f333d1b814a3fe3af5773c5ffa10515793090b2f4555fe326ddeaf7 |
C:\Users\Admin\AppData\Local\Temp\5C0E.exe
| MD5 | b1c75c7ebd91a35d248b230fd0e1cef4 |
| SHA1 | 8d41bf258efd590db945ce0ef173e12afb1060a1 |
| SHA256 | 3d07e172347c7b5cede6b6c725db004ed4a88258a1204ed534391c87a5a5716d |
| SHA512 | bd753abb64527f98c393d1c97361d39493a0b2955dd55848aab63683040cde07f9ce4e8cd68d32bcc8d9c68889d98c013d8102023652510a861be2a0695490de |
C:\Users\Admin\AppData\Local\Temp\5C0E.exe
| MD5 | b1c75c7ebd91a35d248b230fd0e1cef4 |
| SHA1 | 8d41bf258efd590db945ce0ef173e12afb1060a1 |
| SHA256 | 3d07e172347c7b5cede6b6c725db004ed4a88258a1204ed534391c87a5a5716d |
| SHA512 | bd753abb64527f98c393d1c97361d39493a0b2955dd55848aab63683040cde07f9ce4e8cd68d32bcc8d9c68889d98c013d8102023652510a861be2a0695490de |
memory/2380-148-0x0000000000000000-mapping.dmp
memory/4688-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5FB9.exe
| MD5 | 0429ffc783c6c4e2897966e485bdf9a3 |
| SHA1 | 04aa9bb13bbd3f47b37ad38cdf289ab1127d1323 |
| SHA256 | d5241af9dd7e7fe48fc043b520f3366a806269d869d9add684bcb37d2582b1ad |
| SHA512 | 995b9d0c69607f12490f5ea23a863c303a87cbb4bab9bbe3326f7f1e0cd10c797e9fd825ef4d6b5c23924427286142ce94198b8fd0e3b397168af875d24eca07 |
C:\Users\Admin\AppData\Local\Temp\5FB9.exe
| MD5 | 0429ffc783c6c4e2897966e485bdf9a3 |
| SHA1 | 04aa9bb13bbd3f47b37ad38cdf289ab1127d1323 |
| SHA256 | d5241af9dd7e7fe48fc043b520f3366a806269d869d9add684bcb37d2582b1ad |
| SHA512 | 995b9d0c69607f12490f5ea23a863c303a87cbb4bab9bbe3326f7f1e0cd10c797e9fd825ef4d6b5c23924427286142ce94198b8fd0e3b397168af875d24eca07 |
memory/4808-155-0x0000000000000000-mapping.dmp
memory/3664-156-0x0000000000000000-mapping.dmp
memory/4808-157-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3976-163-0x000000000078D000-0x00000000007BE000-memory.dmp
memory/3976-164-0x0000000004CF0000-0x0000000005294000-memory.dmp
memory/3976-165-0x0000000002210000-0x000000000224E000-memory.dmp
memory/4468-162-0x0000000000000000-mapping.dmp
memory/3976-166-0x0000000004BD0000-0x0000000004C62000-memory.dmp
memory/3976-167-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/3336-169-0x0000000000000000-mapping.dmp
memory/3664-168-0x0000000000800000-0x0000000000875000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5517.exe
| MD5 | bf35957e6b72a97dac143ff5ecb71e0b |
| SHA1 | d168ee93fcd4ce2205988b8e155ed1b5df26299b |
| SHA256 | 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b |
| SHA512 | e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f |
memory/3644-176-0x0000000002370000-0x000000000248B000-memory.dmp
memory/3336-177-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3644-173-0x00000000022A3000-0x0000000002334000-memory.dmp
memory/3336-175-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3976-178-0x00000000054C0000-0x0000000005AD8000-memory.dmp
memory/4808-179-0x00000000057A0000-0x00000000058AA000-memory.dmp
memory/3336-171-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3976-181-0x0000000005430000-0x000000000546C000-memory.dmp
memory/2380-183-0x00000000005D0000-0x00000000005D9000-memory.dmp
memory/3336-182-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2380-184-0x0000000000400000-0x0000000000598000-memory.dmp
memory/3976-180-0x0000000005410000-0x0000000005422000-memory.dmp
memory/3664-170-0x0000000000520000-0x000000000058B000-memory.dmp
memory/4468-172-0x0000000000FE0000-0x0000000000FEC000-memory.dmp
memory/3664-185-0x0000000000520000-0x000000000058B000-memory.dmp
memory/340-187-0x00000000033A0000-0x00000000034C0000-memory.dmp
memory/2380-186-0x000000000060D000-0x000000000061E000-memory.dmp
memory/340-188-0x00000000035E0000-0x0000000003700000-memory.dmp
memory/4688-189-0x000000000072D000-0x000000000073D000-memory.dmp
memory/4688-190-0x0000000000400000-0x0000000000598000-memory.dmp
memory/1436-191-0x0000000000000000-mapping.dmp
memory/2380-192-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\fb26b508-42c6-462e-8bfb-e5aeaa6de5a1\5517.exe
| MD5 | bf35957e6b72a97dac143ff5ecb71e0b |
| SHA1 | d168ee93fcd4ce2205988b8e155ed1b5df26299b |
| SHA256 | 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b |
| SHA512 | e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f |
memory/3580-194-0x0000000000000000-mapping.dmp
memory/340-197-0x0000000003700000-0x00000000037CB000-memory.dmp
memory/3336-196-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5517.exe
| MD5 | bf35957e6b72a97dac143ff5ecb71e0b |
| SHA1 | d168ee93fcd4ce2205988b8e155ed1b5df26299b |
| SHA256 | 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b |
| SHA512 | e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f |
memory/4808-198-0x0000000005A20000-0x0000000005A86000-memory.dmp
memory/340-199-0x00000000037D0000-0x0000000003888000-memory.dmp
memory/340-202-0x00000000035E0000-0x0000000003700000-memory.dmp
memory/3188-203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5517.exe
| MD5 | bf35957e6b72a97dac143ff5ecb71e0b |
| SHA1 | d168ee93fcd4ce2205988b8e155ed1b5df26299b |
| SHA256 | 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b |
| SHA512 | e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f |
memory/3188-206-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3580-207-0x00000000006C2000-0x0000000000753000-memory.dmp
memory/3188-208-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 1a295f69dfd5c6f54042f8bc5b31a6af |
| SHA1 | d2b64e2902114ce584f382cbd78b06354b6b14f7 |
| SHA256 | b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55 |
| SHA512 | 3ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f |
memory/4808-213-0x0000000007320000-0x00000000074E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 48418ab8ab4b83ece6e9cce637d92aa0 |
| SHA1 | 91a3f5f70488e7386ac926eb3f401aa087226c42 |
| SHA256 | 262e85a7f7d877fff0af0221089f4297385d95a416d7a04384d086d324f83a85 |
| SHA512 | c1689478c07d82a59efbde890db2e5192a1ae1cb686124e9377f17394761e3e5dda60f051ff1fd81f99097b23736e98dc1b6252597f62b86fb60d722e422a58d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 136889ac23008bfdfefb91c9e5d8a11d |
| SHA1 | 8343b8ef34dc565eda256e042b43064cb8017131 |
| SHA256 | 35188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5 |
| SHA512 | b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 3d6594a98a9863be6e17383d200ead76 |
| SHA1 | acd9e6b960b655d0a9e8469d2dd08f102120b766 |
| SHA256 | 5a0b3b8f2e8f4814faadf08d3956a64b929af652de131f407bfb58cabdf70b82 |
| SHA512 | d11a628afb8395750f8366131ec96e5aafa7c8b4a625b83b4052f16cc5d453fce5ec4ac7c477e5985035b93f978373e24c895ce959cbebf3f31d6a6cb8106141 |
memory/3976-214-0x0000000006620000-0x0000000006B4C000-memory.dmp
memory/3188-215-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3976-216-0x000000000078D000-0x00000000007BE000-memory.dmp
memory/4224-217-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe
| MD5 | efcd4db108fc262b0fba4f82692bfdf1 |
| SHA1 | 5cc11f23b251c802e2e5497cc40d5702853e4f16 |
| SHA256 | 1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976 |
| SHA512 | 6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e |
C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe
| MD5 | efcd4db108fc262b0fba4f82692bfdf1 |
| SHA1 | 5cc11f23b251c802e2e5497cc40d5702853e4f16 |
| SHA256 | 1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976 |
| SHA512 | 6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e |
memory/3976-220-0x0000000006F00000-0x0000000006F76000-memory.dmp
memory/3976-221-0x0000000007B50000-0x0000000007BA0000-memory.dmp
memory/4928-222-0x0000000000000000-mapping.dmp
memory/4928-223-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build2.exe
| MD5 | efcd4db108fc262b0fba4f82692bfdf1 |
| SHA1 | 5cc11f23b251c802e2e5497cc40d5702853e4f16 |
| SHA256 | 1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976 |
| SHA512 | 6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e |
memory/4928-225-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4224-227-0x0000000000708000-0x0000000000735000-memory.dmp
memory/4928-226-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4224-228-0x0000000000660000-0x00000000006B9000-memory.dmp
memory/4928-229-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/3208-230-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\43a51736-70a1-4920-ab05-f0d128a5666a\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1780-233-0x0000000000000000-mapping.dmp
C:\ProgramData\sqlite3.dll
| MD5 | 1f44d4d3087c2b202cf9c90ee9d04b0f |
| SHA1 | 106a3ebc9e39ab6ddb3ff987efb6527c956f192d |
| SHA256 | 4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260 |
| SHA512 | b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45 |
memory/3976-235-0x000000000078D000-0x00000000007BE000-memory.dmp
memory/3976-236-0x0000000000400000-0x00000000005B8000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3188-239-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2768-240-0x0000000000000000-mapping.dmp
memory/4928-241-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4460-242-0x0000000000000000-mapping.dmp
memory/2228-243-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/2228-246-0x00000000028FE000-0x0000000002EE8000-memory.dmp
memory/2228-247-0x0000000002EF0000-0x0000000003510000-memory.dmp
memory/2228-248-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/2380-249-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/2380-251-0x0000000002970000-0x0000000002F5A000-memory.dmp
memory/2380-252-0x0000000000400000-0x0000000000B72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/3836-253-0x0000000000000000-mapping.dmp
memory/2228-255-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/3836-256-0x0000000002916000-0x0000000002F00000-memory.dmp
memory/3836-257-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/2380-258-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/1028-259-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/552-261-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/552-265-0x0000000001F10000-0x000000000225D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/3836-266-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/1028-268-0x00000000027A0000-0x0000000002D8A000-memory.dmp
memory/552-267-0x0000000001F10000-0x000000000225D000-memory.dmp
memory/1028-269-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/2228-270-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/4904-271-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4904-274-0x0000000000400000-0x000000000074D000-memory.dmp
memory/2380-275-0x0000000000400000-0x0000000000B72000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4772-277-0x0000000000000000-mapping.dmp
memory/4020-278-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/424-280-0x0000000000000000-mapping.dmp
memory/424-283-0x0000000002320000-0x000000000266D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/1028-284-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/552-285-0x0000000001F10000-0x000000000225D000-memory.dmp
memory/424-286-0x0000000002320000-0x000000000266D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/3644-290-0x0000000000000000-mapping.dmp
memory/4364-292-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/4364-295-0x0000000002400000-0x000000000274D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/4864-296-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/2328-306-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/756-308-0x0000000000000000-mapping.dmp
memory/756-311-0x0000000002300000-0x000000000264D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/4500-318-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/4636-320-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/620-326-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/5104-328-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/5104-331-0x00000000022D0000-0x000000000261D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/3508-338-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/3552-340-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/4404-348-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/808-350-0x0000000000000000-mapping.dmp
memory/808-353-0x00000000021A0000-0x00000000024ED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/3028-359-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/4964-361-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |
memory/2960-368-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E12E.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/4484-370-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 62cc38baf77f03bb37900feffaa08feb |
| SHA1 | ea76c77ffc13a9e08d4bd6c943757fc525554e6c |
| SHA256 | 3c6cd9ce86aed45b2f5baa0cd6c0c5708ffa228b6eecb96089ecfa1611ac8868 |
| SHA512 | b88d614d56292a35b5cd88b0eff3d8e2609fbf1e809f97c53451b7ff3a588cfb19a37c180546af008a2192d930f4102a4d27bfa3b67519a27de82380a4a8134f |