Analysis Overview
SHA256
ca19c8ccb6a6b25ef286ee0f5a82abc186290cbacd427371584ce2ac65501d9c
Threat Level: Known bad
The file 6ddf800f1c10179bdbe0e543c6641349.exe was found to be: Known bad.
Malicious Activity Summary
Detect Amadey credential stealer module
RedLine payload
DcRat
RedLine
SmokeLoader
Detects Smokeloader packer
Amadey
Executes dropped EXE
Downloads MZ/PE file
Blocklisted process makes network request
UPX packed file
Reads local data of messenger clients
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Uses the VBS compiler for execution
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
outlook_win_path
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:41
Reported
2022-11-01 11:43
Platform
win7-20220901-en
Max time kernel
150s
Max time network
49s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe
"C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe"
Network
Files
memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp
memory/1284-55-0x00000000002E9000-0x00000000002FE000-memory.dmp
memory/1284-56-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/1284-57-0x0000000000400000-0x0000000002C3E000-memory.dmp
memory/1284-58-0x0000000000400000-0x0000000002C3E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-01 11:41
Reported
2022-11-01 11:43
Platform
win10v2004-20220901-en
Max time kernel
143s
Max time network
140s
Command Line
Signatures
Amadey
DcRat
Detect Amadey credential stealer module
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4362.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\539F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57A7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5A58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\66AD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69DB.exe | N/A |
| N/A | N/A | C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5A58.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\69DB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4488 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\4362.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 4812 set thread context of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\539F.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 3372 set thread context of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\57A7.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1744 set thread context of 5024 | N/A | C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\69DB.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe
"C:\Users\Admin\AppData\Local\Temp\6ddf800f1c10179bdbe0e543c6641349.exe"
C:\Users\Admin\AppData\Local\Temp\4362.exe
C:\Users\Admin\AppData\Local\Temp\4362.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\539F.exe
C:\Users\Admin\AppData\Local\Temp\539F.exe
C:\Users\Admin\AppData\Local\Temp\57A7.exe
C:\Users\Admin\AppData\Local\Temp\57A7.exe
C:\Users\Admin\AppData\Local\Temp\5A58.exe
C:\Users\Admin\AppData\Local\Temp\5A58.exe
C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe
"C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6040.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\66AD.exe
C:\Users\Admin\AppData\Local\Temp\66AD.exe
C:\Users\Admin\AppData\Local\Temp\69DB.exe
C:\Users\Admin\AppData\Local\Temp\69DB.exe
C:\Windows\system32\cmd.exe
cmd.exe /c "del C:\Users\Admin\AppData\Local\Temp\66AD.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4312 -ip 4312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1140
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 6
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3488 -ip 3488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 420
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | o36fafs3sn6xou.com | udp |
| CH | 34.65.131.183:80 | o36fafs3sn6xou.com | tcp |
| US | 8.8.8.8:53 | atikmuhendislik.net | udp |
| TR | 78.135.82.192:443 | atikmuhendislik.net | tcp |
| US | 8.8.8.8:53 | web3portal.com | udp |
| US | 185.150.190.66:443 | web3portal.com | tcp |
| RU | 78.153.144.3:2510 | tcp | |
| RU | 31.41.244.153:80 | 31.41.244.153 | tcp |
| US | 20.42.73.24:443 | tcp | |
| GB | 77.73.134.247:80 | 77.73.134.247 | tcp |
| CH | 179.43.140.174:80 | 179.43.140.174 | tcp |
| RU | 31.41.244.15:80 | 31.41.244.15 | tcp |
| RU | 31.41.244.15:80 | 31.41.244.15 | tcp |
| FR | 2.18.109.224:443 | tcp | |
| DE | 167.235.71.14:20469 | tcp | |
| US | 8.8.8.8:53 | na.luckpool.net | udp |
| CA | 149.56.27.47:3956 | na.luckpool.net | tcp |
| NL | 88.221.25.155:80 | tcp | |
| RU | 31.41.244.15:80 | 31.41.244.15 | tcp |
| N/A | 10.127.0.137:80 | tcp | |
| N/A | 10.127.0.137:80 | tcp |
Files
memory/4348-132-0x0000000002EA2000-0x0000000002EB7000-memory.dmp
memory/4348-133-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/4348-134-0x0000000000400000-0x0000000002C3E000-memory.dmp
memory/4348-135-0x0000000000400000-0x0000000002C3E000-memory.dmp
memory/4488-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4362.exe
| MD5 | 287572edc287d01d1e625d3b93efa326 |
| SHA1 | 1ed75fcfe9a37ba94ab8c59bf5048b1a85932857 |
| SHA256 | b6c62694edd72c240d022a7a33276ee091fa986437f571c50a34fd67c9b44e45 |
| SHA512 | 02994440785ec5347fd4f0895d674456f360ef43bc2ed96502cce72210600ff0af912ce169d66716893ccdb1a6894d2a7c2c6715b0652178fbb0535962e170e9 |
C:\Users\Admin\AppData\Local\Temp\4362.exe
| MD5 | 287572edc287d01d1e625d3b93efa326 |
| SHA1 | 1ed75fcfe9a37ba94ab8c59bf5048b1a85932857 |
| SHA256 | b6c62694edd72c240d022a7a33276ee091fa986437f571c50a34fd67c9b44e45 |
| SHA512 | 02994440785ec5347fd4f0895d674456f360ef43bc2ed96502cce72210600ff0af912ce169d66716893ccdb1a6894d2a7c2c6715b0652178fbb0535962e170e9 |
memory/1632-139-0x0000000000000000-mapping.dmp
memory/1632-140-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1632-145-0x00000000057C0000-0x0000000005DD8000-memory.dmp
memory/1632-146-0x0000000005340000-0x000000000544A000-memory.dmp
memory/1632-147-0x0000000005280000-0x0000000005292000-memory.dmp
memory/1632-148-0x00000000052E0000-0x000000000531C000-memory.dmp
memory/4812-149-0x0000000000000000-mapping.dmp
memory/4812-152-0x0000000000CA0000-0x0000000000DD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\539F.exe
| MD5 | b67545f8f9bcc95c2efca01d65d4c429 |
| SHA1 | 062c213d68a70dfdaef4bc9828fbfd8ec0e0dbaf |
| SHA256 | 5c5b2716906f6be939574770f2ce1822dd3d4874dc1924a82096bccc377afde4 |
| SHA512 | 4ca32731de173cc6a71f5b76ec94b98d340e3186f52719bdc7ed79849c5b2c4d5b2952c33e20716ce9af35d50d0e962521904a4a8d977e182dc3aabfdfa3d563 |
C:\Users\Admin\AppData\Local\Temp\539F.exe
| MD5 | b67545f8f9bcc95c2efca01d65d4c429 |
| SHA1 | 062c213d68a70dfdaef4bc9828fbfd8ec0e0dbaf |
| SHA256 | 5c5b2716906f6be939574770f2ce1822dd3d4874dc1924a82096bccc377afde4 |
| SHA512 | 4ca32731de173cc6a71f5b76ec94b98d340e3186f52719bdc7ed79849c5b2c4d5b2952c33e20716ce9af35d50d0e962521904a4a8d977e182dc3aabfdfa3d563 |
memory/4812-153-0x0000000005C80000-0x0000000006224000-memory.dmp
memory/4812-154-0x00000000056D0000-0x0000000005762000-memory.dmp
memory/3372-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\57A7.exe
| MD5 | b6f73df0d1c7d5fef86b5f3034767901 |
| SHA1 | 0bc4f94c5100cbfae5c520ca7b541c3c86d528f3 |
| SHA256 | 82a405a195eb3815d8a5ead1c6271cb279f7dbc11abebb7129b59561ad36e4b2 |
| SHA512 | 196c7c0321c6f35f9222d278fa226c9a5b28d5bdb22636be1a365db3f18d37c12371dff9881324244bd284cc764e257744b1d134860ce4485d4b3c8dc74b5f8a |
C:\Users\Admin\AppData\Local\Temp\57A7.exe
| MD5 | b6f73df0d1c7d5fef86b5f3034767901 |
| SHA1 | 0bc4f94c5100cbfae5c520ca7b541c3c86d528f3 |
| SHA256 | 82a405a195eb3815d8a5ead1c6271cb279f7dbc11abebb7129b59561ad36e4b2 |
| SHA512 | 196c7c0321c6f35f9222d278fa226c9a5b28d5bdb22636be1a365db3f18d37c12371dff9881324244bd284cc764e257744b1d134860ce4485d4b3c8dc74b5f8a |
memory/3104-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5A58.exe
| MD5 | 3cbeec829f400bbc837e6cedf044a6cb |
| SHA1 | b6906942e53a1482069c123ca7f127cdf50c25fc |
| SHA256 | f2ba48f9b1da2b3971f2e70b772a4d6fc503eb4b890fca1923b322687b77dd9f |
| SHA512 | 285f08009934e530ef37b1c98097e7ab1134943e0796fbc0413883e367110aa1d4f14f5ed242b9386d8677e2cbc3000bbe3ccea5ac27b0aa72128425c8106806 |
memory/4812-159-0x0000000005BF0000-0x0000000005C12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5A58.exe
| MD5 | 3cbeec829f400bbc837e6cedf044a6cb |
| SHA1 | b6906942e53a1482069c123ca7f127cdf50c25fc |
| SHA256 | f2ba48f9b1da2b3971f2e70b772a4d6fc503eb4b890fca1923b322687b77dd9f |
| SHA512 | 285f08009934e530ef37b1c98097e7ab1134943e0796fbc0413883e367110aa1d4f14f5ed242b9386d8677e2cbc3000bbe3ccea5ac27b0aa72128425c8106806 |
memory/3104-162-0x00000000001C0000-0x00000000002E0000-memory.dmp
memory/4176-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe
| MD5 | 9796f845b710c1e68ee9f93592503665 |
| SHA1 | 9be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51 |
| SHA256 | 2c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f |
| SHA512 | c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135 |
C:\Users\Admin\AppData\Roaming\sSeHUCuHsBSBcKeEcBeUHbHSCsEaUkBhCFKshABHcshBEBHUFEKsBUU.exe
| MD5 | 9796f845b710c1e68ee9f93592503665 |
| SHA1 | 9be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51 |
| SHA256 | 2c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f |
| SHA512 | c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135 |
memory/3104-167-0x00007FF98F440000-0x00007FF98FF01000-memory.dmp
memory/4176-166-0x0000000000050000-0x0000000000126000-memory.dmp
memory/4640-168-0x0000000000000000-mapping.dmp
memory/4640-169-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4640-171-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4632-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6040.tmp.bat
| MD5 | 703041446bd3c027996cb1ab7516c12c |
| SHA1 | fa5e48b8f223e1bce1ca6dcba0863e4c130bbdd0 |
| SHA256 | 7f56ffa303d1add0a1184f224edc7dc221cafd46428c24940241be6d6f3ac9d0 |
| SHA512 | 22632b16e3acd3753721b10568ac554e60185f11efc13f28eb275e105dbe4e0d07e0f2055c5685a037102b02b2ec4b15e066955bcc902257fd25a24fff1456cd |
memory/4176-174-0x00007FF98F440000-0x00007FF98FF01000-memory.dmp
memory/4396-175-0x0000000000000000-mapping.dmp
memory/4640-176-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\66AD.exe
| MD5 | e654228f62c81cfa6da658858a46ccff |
| SHA1 | 6926e074d206a7f1bdab2a5c4f374c75338a4a93 |
| SHA256 | e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003 |
| SHA512 | bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a |
memory/2228-177-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\66AD.exe
| MD5 | e654228f62c81cfa6da658858a46ccff |
| SHA1 | 6926e074d206a7f1bdab2a5c4f374c75338a4a93 |
| SHA256 | e22ad0212d094263e07e449bb8370760dbeed1a89ad76b485ea7f072694d4003 |
| SHA512 | bd2dbe69fc707b3090625af3a7dd226060712f2185a0ffdfa9229ccca085e4159b3832cb0ac45c9d80cd3f8521a89164a150966fbbee210c984e24ffb4b75a0a |
memory/4312-180-0x0000000000000000-mapping.dmp
memory/4308-181-0x0000000000000000-mapping.dmp
memory/2228-184-0x0000000000220000-0x0000000000A09000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\69DB.exe
| MD5 | 2d71178035cc220c79f00a8fdd2df64b |
| SHA1 | fb289a0637c798844126c4ee726f013b9b971270 |
| SHA256 | 58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11 |
| SHA512 | 4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf |
C:\Users\Admin\AppData\Local\Temp\69DB.exe
| MD5 | 2d71178035cc220c79f00a8fdd2df64b |
| SHA1 | fb289a0637c798844126c4ee726f013b9b971270 |
| SHA256 | 58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11 |
| SHA512 | 4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf |
memory/1480-185-0x0000000000000000-mapping.dmp
memory/1744-186-0x0000000000000000-mapping.dmp
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
| MD5 | 9796f845b710c1e68ee9f93592503665 |
| SHA1 | 9be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51 |
| SHA256 | 2c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f |
| SHA512 | c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135 |
memory/1480-189-0x0000000000140000-0x0000000000147000-memory.dmp
memory/1480-190-0x0000000000130000-0x000000000013B000-memory.dmp
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
| MD5 | 9796f845b710c1e68ee9f93592503665 |
| SHA1 | 9be7d53dfa928f3a4ff37146a0ec1ef9a62c3c51 |
| SHA256 | 2c0d646f8dbe3bc19c6d85ba819af553d68a1d4ce61a3e9f843566d35f240d8f |
| SHA512 | c5f0f2fba732f9ba484e0ee0d672f488c1f7c454f1b549e348dea86f96e5bc706e8e634bb1cdab3f52d16af9ac8bb29505bf5905d47386b04a5905dc6b5e5135 |
memory/1632-192-0x0000000005720000-0x0000000005786000-memory.dmp
memory/4636-191-0x0000000000000000-mapping.dmp
memory/1744-193-0x00007FF98F440000-0x00007FF98FF01000-memory.dmp
memory/3892-194-0x0000000000000000-mapping.dmp
memory/1296-196-0x0000000000000000-mapping.dmp
memory/1632-195-0x0000000006280000-0x00000000062F6000-memory.dmp
memory/1632-198-0x0000000006320000-0x0000000006370000-memory.dmp
memory/4636-199-0x0000000000560000-0x000000000056F000-memory.dmp
memory/4636-197-0x0000000000570000-0x0000000000579000-memory.dmp
memory/1296-200-0x0000000001330000-0x0000000001339000-memory.dmp
memory/2572-201-0x0000000000000000-mapping.dmp
memory/1632-202-0x0000000006B10000-0x0000000006CD2000-memory.dmp
memory/1632-203-0x0000000007210000-0x000000000773C000-memory.dmp
memory/4808-204-0x0000000000000000-mapping.dmp
memory/1296-205-0x0000000001340000-0x0000000001345000-memory.dmp
memory/4808-206-0x0000000000720000-0x0000000000726000-memory.dmp
memory/4808-207-0x0000000000710000-0x000000000071C000-memory.dmp
memory/1488-208-0x0000000000000000-mapping.dmp
memory/2124-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 2d71178035cc220c79f00a8fdd2df64b |
| SHA1 | fb289a0637c798844126c4ee726f013b9b971270 |
| SHA256 | 58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11 |
| SHA512 | 4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf |
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 2d71178035cc220c79f00a8fdd2df64b |
| SHA1 | fb289a0637c798844126c4ee726f013b9b971270 |
| SHA256 | 58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11 |
| SHA512 | 4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf |
memory/4312-212-0x0000000002CA3000-0x0000000002CC2000-memory.dmp
memory/4312-213-0x0000000004890000-0x00000000048CE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | dbf4f8dcefb8056dc6bae4b67ff810ce |
| SHA1 | bbac1dd8a07c6069415c04b62747d794736d0689 |
| SHA256 | 47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68 |
| SHA512 | b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1 |
C:\Users\Admin\AppData\LocalLow\nss3.dll
| MD5 | f67d08e8c02574cbc2f1122c53bfb976 |
| SHA1 | 6522992957e7e4d074947cad63189f308a80fcf2 |
| SHA256 | c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e |
| SHA512 | 2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5 |
C:\Users\Admin\AppData\LocalLow\mozglue.dll
| MD5 | f07d9977430e762b563eaadc2b94bbfa |
| SHA1 | da0a05b2b8d269fb73558dfcf0ed5c167f6d3877 |
| SHA256 | 4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862 |
| SHA512 | 6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf |
memory/3220-217-0x0000000000000000-mapping.dmp
memory/4312-218-0x0000000000400000-0x0000000002C48000-memory.dmp
memory/1488-219-0x0000000001600000-0x0000000001622000-memory.dmp
memory/1488-220-0x00000000013D0000-0x00000000013F7000-memory.dmp
memory/1756-221-0x0000000000000000-mapping.dmp
memory/3220-222-0x0000000001310000-0x0000000001315000-memory.dmp
memory/3220-223-0x0000000001300000-0x0000000001309000-memory.dmp
memory/1756-225-0x00000000008D0000-0x00000000008DB000-memory.dmp
memory/1756-224-0x00000000008E0000-0x00000000008E6000-memory.dmp
memory/1528-226-0x0000000000000000-mapping.dmp
memory/3104-227-0x00007FF98F440000-0x00007FF98FF01000-memory.dmp
memory/1528-229-0x0000000000FC0000-0x0000000000FCD000-memory.dmp
memory/1528-228-0x0000000000FD0000-0x0000000000FD7000-memory.dmp
memory/4160-230-0x0000000000000000-mapping.dmp
memory/4160-231-0x0000000001350000-0x0000000001358000-memory.dmp
memory/4160-232-0x0000000001340000-0x000000000134B000-memory.dmp
memory/4640-233-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1500-234-0x0000000000000000-mapping.dmp
memory/2124-235-0x0000000002E63000-0x0000000002E82000-memory.dmp
memory/2124-236-0x0000000000400000-0x0000000002C48000-memory.dmp
memory/2228-237-0x0000000000220000-0x0000000000A09000-memory.dmp
memory/1480-238-0x0000000000140000-0x0000000000147000-memory.dmp
memory/1744-239-0x00007FF98F440000-0x00007FF98FF01000-memory.dmp
memory/4636-240-0x0000000000570000-0x0000000000579000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
| MD5 | 2d71178035cc220c79f00a8fdd2df64b |
| SHA1 | fb289a0637c798844126c4ee726f013b9b971270 |
| SHA256 | 58036312cd69c237f26fc2145ccf0b9bcda123708b66f820eb7c137ab4361b11 |
| SHA512 | 4d7d991d7dac4dab52eb06de85d706f18f752e2b495cae20fb4b1c9c23f9244c2a486ee41589cce1e1876334590ca6d8d8b044eef3cf0d2c64e8b2cb48a0fcaf |
memory/4024-242-0x0000000000000000-mapping.dmp
memory/4024-243-0x0000000000600000-0x0000000000628000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
| MD5 | 5c9237df35c69a284b3cfd66970ce736 |
| SHA1 | 6c25b1319637046c663d18e36bdafbb6f5cadf00 |
| SHA256 | b4a0eea59921d24fe0f743c96ed5322c79af4c22d37c16f62bdba777c6be717e |
| SHA512 | 01dcd3afd5f4d395299ad2b8f8c41c1b39422486274d0a95c0f4e187b38d75ff40fce896815fa9dc05b2d66403ae83a697cb43927271f0eb1de28d78163dcc06 |
memory/1296-249-0x0000000001340000-0x0000000001345000-memory.dmp
memory/4808-250-0x0000000000720000-0x0000000000726000-memory.dmp
memory/1488-251-0x0000000001600000-0x0000000001622000-memory.dmp
memory/3220-252-0x0000000001310000-0x0000000001315000-memory.dmp
memory/1756-253-0x00000000008E0000-0x00000000008E6000-memory.dmp
memory/1528-254-0x0000000000FD0000-0x0000000000FD7000-memory.dmp
memory/5024-255-0x0000000140000000-0x00000001400C6000-memory.dmp
memory/5024-256-0x000000014006EE80-mapping.dmp
memory/5024-257-0x0000000140000000-0x00000001400C6000-memory.dmp
memory/5024-258-0x0000000140000000-0x00000001400C6000-memory.dmp
memory/1828-259-0x0000000000000000-mapping.dmp
memory/1744-260-0x00007FF98F440000-0x00007FF98FF01000-memory.dmp
memory/4160-261-0x0000000001350000-0x0000000001358000-memory.dmp
memory/5024-262-0x0000000140000000-0x00000001400C6000-memory.dmp
memory/3488-263-0x0000000002E34000-0x0000000002E53000-memory.dmp
memory/3488-264-0x0000000000400000-0x0000000002C48000-memory.dmp
memory/3860-267-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
| MD5 | 522adad0782501491314a78c7f32006b |
| SHA1 | e487edceeef3a41e2a8eea1e684bcbc3b39adb97 |
| SHA256 | 351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba |
| SHA512 | 5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7 |
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
| MD5 | 522adad0782501491314a78c7f32006b |
| SHA1 | e487edceeef3a41e2a8eea1e684bcbc3b39adb97 |
| SHA256 | 351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba |
| SHA512 | 5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7 |