Malware Analysis Report

2024-10-23 17:30

Sample ID 221129-hxlktsag7x
Target fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d
SHA256 fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d
Tags
amadey djvu smokeloader vidar 517 backdoor collection discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d

Threat Level: Known bad

The file fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d was found to be: Known bad.

Malicious Activity Summary

amadey djvu smokeloader vidar 517 backdoor collection discovery persistence ransomware spyware stealer trojan

Detects Smokeloader packer

Djvu Ransomware

Amadey

Detected Djvu ransomware

Vidar

Detect Amadey credential stealer module

SmokeLoader

Blocklisted process makes network request

Executes dropped EXE

Downloads MZ/PE file

Modifies file permissions

Reads user/profile data of web browsers

Loads dropped DLL

Reads local data of messenger clients

Deletes itself

Adds Run key to start application

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Creates scheduled task(s)

outlook_win_path

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-29 07:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-29 07:06

Reported

2022-11-29 07:09

Platform

win10-20220901-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d.exe"

Signatures

Amadey

trojan amadey

Detect Amadey credential stealer module

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cbe8d126-8bd2-4a3c-84f8-29768b3e765d\\1434.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1434.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2609.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2609.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2B69.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2B69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2609.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2B69.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2609.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2B69.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 2364 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 2364 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 2364 wrote to memory of 1148 N/A N/A C:\Users\Admin\AppData\Local\Temp\182C.exe
PID 2364 wrote to memory of 1148 N/A N/A C:\Users\Admin\AppData\Local\Temp\182C.exe
PID 2364 wrote to memory of 1148 N/A N/A C:\Users\Admin\AppData\Local\Temp\182C.exe
PID 2364 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\1F13.exe
PID 2364 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\1F13.exe
PID 2364 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\1F13.exe
PID 2364 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\2609.exe
PID 2364 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\2609.exe
PID 2364 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\2609.exe
PID 2364 wrote to memory of 4120 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B69.exe
PID 2364 wrote to memory of 4120 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B69.exe
PID 2364 wrote to memory of 4120 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B69.exe
PID 2364 wrote to memory of 3480 N/A N/A C:\Users\Admin\AppData\Local\Temp\32BD.exe
PID 2364 wrote to memory of 3480 N/A N/A C:\Users\Admin\AppData\Local\Temp\32BD.exe
PID 2364 wrote to memory of 3480 N/A N/A C:\Users\Admin\AppData\Local\Temp\32BD.exe
PID 2364 wrote to memory of 4152 N/A N/A C:\Users\Admin\AppData\Local\Temp\39B3.exe
PID 2364 wrote to memory of 4152 N/A N/A C:\Users\Admin\AppData\Local\Temp\39B3.exe
PID 2364 wrote to memory of 4152 N/A N/A C:\Users\Admin\AppData\Local\Temp\39B3.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4460 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 2364 wrote to memory of 4912 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2364 wrote to memory of 4912 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1148 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\182C.exe C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
PID 1148 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\182C.exe C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
PID 1148 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\182C.exe C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
PID 4912 wrote to memory of 4972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4912 wrote to memory of 4972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4912 wrote to memory of 4972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2364 wrote to memory of 428 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2364 wrote to memory of 428 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2364 wrote to memory of 428 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2364 wrote to memory of 428 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2364 wrote to memory of 4784 N/A N/A C:\Windows\explorer.exe
PID 2364 wrote to memory of 4784 N/A N/A C:\Windows\explorer.exe
PID 2364 wrote to memory of 4784 N/A N/A C:\Windows\explorer.exe
PID 4612 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4612 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4612 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4884 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Windows\SysWOW64\icacls.exe
PID 4884 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Windows\SysWOW64\icacls.exe
PID 4884 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Windows\SysWOW64\icacls.exe
PID 4884 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4884 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 4884 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 60 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 60 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 60 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 60 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 60 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 60 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 60 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 60 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe
PID 60 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\1434.exe C:\Users\Admin\AppData\Local\Temp\1434.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d.exe

"C:\Users\Admin\AppData\Local\Temp\fb5798780427ffd3c458ef9b70313c3af8fa36cb9b5f99cccfd151e0f358426d.exe"

C:\Users\Admin\AppData\Local\Temp\1434.exe

C:\Users\Admin\AppData\Local\Temp\1434.exe

C:\Users\Admin\AppData\Local\Temp\182C.exe

C:\Users\Admin\AppData\Local\Temp\182C.exe

C:\Users\Admin\AppData\Local\Temp\1F13.exe

C:\Users\Admin\AppData\Local\Temp\1F13.exe

C:\Users\Admin\AppData\Local\Temp\2609.exe

C:\Users\Admin\AppData\Local\Temp\2609.exe

C:\Users\Admin\AppData\Local\Temp\2B69.exe

C:\Users\Admin\AppData\Local\Temp\2B69.exe

C:\Users\Admin\AppData\Local\Temp\32BD.exe

C:\Users\Admin\AppData\Local\Temp\32BD.exe

C:\Users\Admin\AppData\Local\Temp\39B3.exe

C:\Users\Admin\AppData\Local\Temp\39B3.exe

C:\Users\Admin\AppData\Local\Temp\1434.exe

C:\Users\Admin\AppData\Local\Temp\1434.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45BB.dll

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\45BB.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 484

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 476

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\cbe8d126-8bd2-4a3c-84f8-29768b3e765d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1434.exe

"C:\Users\Admin\AppData\Local\Temp\1434.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1434.exe

"C:\Users\Admin\AppData\Local\Temp\1434.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe

"C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe"

C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build3.exe

"C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe

"C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe"

C:\Users\Admin\AppData\Local\Temp\F42C.exe

C:\Users\Admin\AppData\Local\Temp\F42C.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Weheooup.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 660

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 furubujjul.net udp
N/A 91.195.240.101:80 furubujjul.net tcp
N/A 8.8.8.8:53 starvestitibo.org udp
N/A 193.106.191.15:80 starvestitibo.org tcp
N/A 193.56.146.77:80 193.56.146.77 tcp
N/A 20.189.173.15:443 tcp
N/A 8.8.8.8:53 careers-info.com udp
N/A 167.235.4.117:443 careers-info.com tcp
N/A 77.73.131.124:80 77.73.131.124 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 193.106.191.15:80 starvestitibo.org tcp
N/A 193.56.146.194:80 193.56.146.194 tcp
N/A 193.56.146.194:80 193.56.146.194 tcp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 8.8.8.8:53 uaery.top udp
N/A 211.40.39.251:80 uaery.top tcp
N/A 8.8.8.8:53 fresherlights.com udp
N/A 211.119.84.112:80 fresherlights.com tcp
N/A 8.8.8.8:53 dowe.at udp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 211.119.84.112:80 fresherlights.com tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 123.253.32.170:80 123.253.32.170 tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 8.8.8.8:53 t.me udp
N/A 149.154.167.99:443 t.me tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 95.217.31.208:80 95.217.31.208 tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 193.56.146.194:80 193.56.146.194 tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 222.236.49.123:80 dowe.at tcp
N/A 10.127.0.59:80 tcp
N/A 10.127.0.59:80 tcp
N/A 222.236.49.123:80 dowe.at tcp

Files

memory/2748-120-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-121-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-122-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-123-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-124-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-125-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-126-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-127-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-129-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-130-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-128-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-131-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-132-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-133-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-134-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-135-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-136-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-137-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-138-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-139-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-140-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-142-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-143-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-144-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-145-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-146-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-147-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-148-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-149-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-151-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-150-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-152-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-154-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2748-153-0x0000000000540000-0x000000000068A000-memory.dmp

memory/2748-155-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-156-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2748-157-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4460-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1434.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/4460-160-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-161-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-162-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-163-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-164-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-166-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-165-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-168-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-169-0x0000000077660000-0x00000000777EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1434.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/1148-170-0x0000000000000000-mapping.dmp

memory/4460-171-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/1148-174-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/1148-176-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/1148-178-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-177-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-179-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-181-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/1148-180-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/1148-183-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/1148-185-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-184-0x0000000077660000-0x00000000777EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\182C.exe

MD5 e82d5972f368fb0822d0e3faccfc6f91
SHA1 0074fcfde338469bcfa19af0b5104bae31c70530
SHA256 2258e60f006a44a85e447fb458548078618c550a5f2eb64610fa3737e934e2c6
SHA512 9da0fdd7ae1d56b6532ffed293462092520e7362f5b70809a48d6c5ac38f06b7c7a68a8b03d094d2aaa3ae95669cbdc9232c3030fcab19069c618f6d14ab99a1

memory/1148-189-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-193-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/1148-192-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-191-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-190-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/1148-187-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-186-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-182-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-175-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-172-0x0000000077660000-0x00000000777EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\182C.exe

MD5 e82d5972f368fb0822d0e3faccfc6f91
SHA1 0074fcfde338469bcfa19af0b5104bae31c70530
SHA256 2258e60f006a44a85e447fb458548078618c550a5f2eb64610fa3737e934e2c6
SHA512 9da0fdd7ae1d56b6532ffed293462092520e7362f5b70809a48d6c5ac38f06b7c7a68a8b03d094d2aaa3ae95669cbdc9232c3030fcab19069c618f6d14ab99a1

memory/1476-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1F13.exe

MD5 c42d13fbc2efd907113054c91ff86130
SHA1 6dc92133c1410be4d4911b7ae934e8c4a6d050af
SHA256 76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0
SHA512 6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552

C:\Users\Admin\AppData\Local\Temp\1F13.exe

MD5 c42d13fbc2efd907113054c91ff86130
SHA1 6dc92133c1410be4d4911b7ae934e8c4a6d050af
SHA256 76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0
SHA512 6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552

memory/2824-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2609.exe

MD5 fefbf4b809ab45a7bcff79e6eb235e45
SHA1 10e0b03ac44c51d2573d54783983429a055519ed
SHA256 2d4e7731cc2c23efbb57010cc7a3b62179496c9c1ea87e5655590d4b63018be8
SHA512 b232429ebb77599692a9fddd5d675876d903e6f8e236bc3235d4d11e45f520a55767cd72c038c9ff850c62190c47a9deea6210b9fdfbf182f45353684786cd2a

C:\Users\Admin\AppData\Local\Temp\2609.exe

MD5 fefbf4b809ab45a7bcff79e6eb235e45
SHA1 10e0b03ac44c51d2573d54783983429a055519ed
SHA256 2d4e7731cc2c23efbb57010cc7a3b62179496c9c1ea87e5655590d4b63018be8
SHA512 b232429ebb77599692a9fddd5d675876d903e6f8e236bc3235d4d11e45f520a55767cd72c038c9ff850c62190c47a9deea6210b9fdfbf182f45353684786cd2a

memory/4120-246-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2B69.exe

MD5 26ab12af334137fedf1961a421294abc
SHA1 f96fa14d035e6408d47093a85be5f6224ee250ed
SHA256 dc0c9b8a82e97a0275bae25dff21b46f3e8521a235cf7fea929fe3d2d4609e67
SHA512 c92afc703a810ed694f5d53c2f23225fc90698387ee9ab8d007bd27240a3c694b42517015b331f487c041dff4bd52684bc16f1bbdfe3a7ac5851a7627529ef25

C:\Users\Admin\AppData\Local\Temp\2B69.exe

MD5 26ab12af334137fedf1961a421294abc
SHA1 f96fa14d035e6408d47093a85be5f6224ee250ed
SHA256 dc0c9b8a82e97a0275bae25dff21b46f3e8521a235cf7fea929fe3d2d4609e67
SHA512 c92afc703a810ed694f5d53c2f23225fc90698387ee9ab8d007bd27240a3c694b42517015b331f487c041dff4bd52684bc16f1bbdfe3a7ac5851a7627529ef25

memory/1148-278-0x00000000006FA000-0x0000000000719000-memory.dmp

memory/1148-281-0x00000000004C0000-0x00000000004FE000-memory.dmp

memory/3480-284-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\32BD.exe

MD5 ba1c62a735648df160a56d0bd7930b75
SHA1 21a21991f00e6cc5289aca477a747ebed8627450
SHA256 463ffb9fe2bdc47c117c33c83e525136f0f1822bb3bcafb7dc5ab879d189625e
SHA512 6d75c111038bb95b884879cadfad6bb3e7d78d5bd184b91cfa2e47f16bdb1ea8f9e9e5d2e653690ed464bc6636ed2e8ed3a668b699b169939ce3a7a131967b76

C:\Users\Admin\AppData\Local\Temp\32BD.exe

MD5 ba1c62a735648df160a56d0bd7930b75
SHA1 21a21991f00e6cc5289aca477a747ebed8627450
SHA256 463ffb9fe2bdc47c117c33c83e525136f0f1822bb3bcafb7dc5ab879d189625e
SHA512 6d75c111038bb95b884879cadfad6bb3e7d78d5bd184b91cfa2e47f16bdb1ea8f9e9e5d2e653690ed464bc6636ed2e8ed3a668b699b169939ce3a7a131967b76

memory/4152-319-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\39B3.exe

MD5 29a373c2434df5c3203864edadf0142e
SHA1 06eeaf59c220156007f491e6d5c158ef8cbe39da
SHA256 278234b6fac8082ce18f4898067337c0933d8b604a90694c8d30e7d7eab23d48
SHA512 2580ecc59623888e9de48a2a3dda5ab6d89d3f8e4f9ba6e0a6e1f8fe6bc9d9bccb2d4f7f6278f362e8bc5993135ed19dad99231f854971cb2a9d5163d7a5cd03

memory/4460-333-0x00000000020E0000-0x000000000217B000-memory.dmp

memory/4460-337-0x00000000022A0000-0x00000000023BB000-memory.dmp

memory/1148-328-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4884-347-0x0000000000424141-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\39B3.exe

MD5 29a373c2434df5c3203864edadf0142e
SHA1 06eeaf59c220156007f491e6d5c158ef8cbe39da
SHA256 278234b6fac8082ce18f4898067337c0933d8b604a90694c8d30e7d7eab23d48
SHA512 2580ecc59623888e9de48a2a3dda5ab6d89d3f8e4f9ba6e0a6e1f8fe6bc9d9bccb2d4f7f6278f362e8bc5993135ed19dad99231f854971cb2a9d5163d7a5cd03

C:\Users\Admin\AppData\Local\Temp\1434.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/2824-368-0x000000000077A000-0x000000000078A000-memory.dmp

memory/2824-373-0x0000000000690000-0x0000000000699000-memory.dmp

memory/2824-378-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4912-385-0x0000000000000000-mapping.dmp

memory/4612-388-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

MD5 e82d5972f368fb0822d0e3faccfc6f91
SHA1 0074fcfde338469bcfa19af0b5104bae31c70530
SHA256 2258e60f006a44a85e447fb458548078618c550a5f2eb64610fa3737e934e2c6
SHA512 9da0fdd7ae1d56b6532ffed293462092520e7362f5b70809a48d6c5ac38f06b7c7a68a8b03d094d2aaa3ae95669cbdc9232c3030fcab19069c618f6d14ab99a1

memory/1148-408-0x0000000000400000-0x0000000000468000-memory.dmp

memory/428-411-0x0000000000000000-mapping.dmp

memory/4972-409-0x0000000000000000-mapping.dmp

memory/1148-403-0x00000000004C0000-0x00000000004FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45BB.dll

MD5 c5b915ef4725ee4ad0229e053dad05d4
SHA1 032fb4cef8ee63d527e98dadf4cdf94c707e1005
SHA256 7a1505d85c64361dfded962e654d6293bf610cd18a3c2683f2ea24bcf99d61db
SHA512 763abbadec6389c9421730f21217b18fc3136147885c91f04ea236bbe346e250e87589599499c339d502e71d69c85612b0469d00a198eac41dad50f9c33d8603

memory/1148-397-0x00000000006FA000-0x0000000000719000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

MD5 e82d5972f368fb0822d0e3faccfc6f91
SHA1 0074fcfde338469bcfa19af0b5104bae31c70530
SHA256 2258e60f006a44a85e447fb458548078618c550a5f2eb64610fa3737e934e2c6
SHA512 9da0fdd7ae1d56b6532ffed293462092520e7362f5b70809a48d6c5ac38f06b7c7a68a8b03d094d2aaa3ae95669cbdc9232c3030fcab19069c618f6d14ab99a1

memory/1476-438-0x0000000000460000-0x000000000050E000-memory.dmp

memory/4784-441-0x0000000000000000-mapping.dmp

memory/4784-468-0x0000000000620000-0x000000000062C000-memory.dmp

memory/1476-501-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3480-508-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3480-518-0x0000000000580000-0x0000000000589000-memory.dmp

memory/3480-514-0x00000000005A0000-0x00000000006EA000-memory.dmp

memory/2824-548-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2824-544-0x000000000077A000-0x000000000078A000-memory.dmp

memory/4120-571-0x000000000070A000-0x000000000071F000-memory.dmp

memory/4120-576-0x0000000000540000-0x000000000068A000-memory.dmp

memory/4120-580-0x0000000000400000-0x000000000044A000-memory.dmp

\Users\Admin\AppData\Local\Temp\45BB.dll

MD5 c5b915ef4725ee4ad0229e053dad05d4
SHA1 032fb4cef8ee63d527e98dadf4cdf94c707e1005
SHA256 7a1505d85c64361dfded962e654d6293bf610cd18a3c2683f2ea24bcf99d61db
SHA512 763abbadec6389c9421730f21217b18fc3136147885c91f04ea236bbe346e250e87589599499c339d502e71d69c85612b0469d00a198eac41dad50f9c33d8603

memory/4884-614-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4612-618-0x000000000074A000-0x0000000000769000-memory.dmp

memory/4612-622-0x00000000005C0000-0x000000000070A000-memory.dmp

memory/428-643-0x00000000004E0000-0x0000000000555000-memory.dmp

memory/4612-645-0x0000000000400000-0x0000000000468000-memory.dmp

memory/428-671-0x0000000000470000-0x00000000004DB000-memory.dmp

memory/4152-674-0x00000000004D0000-0x000000000057E000-memory.dmp

memory/4152-678-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3976-685-0x0000000000000000-mapping.dmp

memory/4120-704-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4120-707-0x000000000070A000-0x000000000071F000-memory.dmp

memory/428-711-0x0000000000470000-0x00000000004DB000-memory.dmp

memory/4600-726-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\cbe8d126-8bd2-4a3c-84f8-29768b3e765d\1434.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/60-752-0x0000000000000000-mapping.dmp

memory/4884-754-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1434.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/3480-774-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3480-775-0x00000000005A0000-0x00000000006EA000-memory.dmp

memory/4612-776-0x000000000074A000-0x0000000000769000-memory.dmp

memory/4612-777-0x00000000005C0000-0x000000000070A000-memory.dmp

memory/4612-778-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4152-779-0x00000000004D0000-0x000000000057E000-memory.dmp

memory/4152-780-0x0000000000400000-0x000000000044A000-memory.dmp

memory/60-788-0x0000000002120000-0x00000000021BF000-memory.dmp

memory/1396-791-0x0000000000424141-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1434.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 76e7d5bf61b2e80d159f88aa9798ce91
SHA1 32a46de50c9c02b068e39cf49b78c7e2d5ace20d
SHA256 280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3
SHA512 5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

memory/1396-860-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 763c3c9521bc6bb59cbc91e4d028430b
SHA1 9e5f322ef36af7424a4d7112bc04f16052669805
SHA256 89643584d15f567b7df19b918c8ea84380a3b6a795315a7c1fbd82fd6a31cf96
SHA512 1b96925f2668f7ffc7cf132d9e39b930a10ba4b9363aa32323856484d908d110727092b94dc780ead38fd357ac5c08e795be0a95d30e46b435933385154701ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 70337d107f690ad23157203fc52d2751
SHA1 2f2322791f96316769b57e653df8a4dcf4768d4e
SHA256 c175e861ba0629c7babaf8a17881d6bbe50cdc2f4b38dcdec171d76b8fad7f2c
SHA512 c94e1c540eb949e1f8f5ba298021e78a3306c352277e1da04fcf6565ea7be64220965e286d9a9e59d283943fe257bad814028434601765fbc10dccd4bb81f3b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 916c512d221c683beeea9d5cb311b0b0
SHA1 bf0db4b1c4566275b629efb095b6ff8857b5748e
SHA256 64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8
SHA512 af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

memory/1472-883-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe

MD5 03ddc9dc7312d33ad1c5f6ed2d167645
SHA1 e75de38aee3b0beb5cc91334ecbd8a876c8351a6
SHA256 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708
SHA512 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa

C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe

MD5 03ddc9dc7312d33ad1c5f6ed2d167645
SHA1 e75de38aee3b0beb5cc91334ecbd8a876c8351a6
SHA256 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708
SHA512 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa

memory/4532-909-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4508-944-0x0000000000000000-mapping.dmp

memory/1396-963-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4240-972-0x000000000042353C-mapping.dmp

C:\Users\Admin\AppData\Local\6bf799be-aec0-413b-875b-0f2918a22d6e\build2.exe

MD5 03ddc9dc7312d33ad1c5f6ed2d167645
SHA1 e75de38aee3b0beb5cc91334ecbd8a876c8351a6
SHA256 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708
SHA512 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa

memory/1472-975-0x0000000002240000-0x000000000228B000-memory.dmp

memory/4240-1000-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F42C.exe

MD5 efd39fa4c5ed34675314a409d29100a4
SHA1 5c18792f1645441368c9fb897b5714ce64f0b8e3
SHA256 39b16642053768bfaf131ac8294981059b0f18b6da8e382af0417f0052b3aa2a
SHA512 2e32db2eef2e41a72b5dc404258b49184f11a56aded7b836d0f157b9cd5fd1d6f312f26446ad900bff5e7198c00a67682a3857c45dba429cf145674919ddeb37

memory/3168-1001-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F42C.exe

MD5 efd39fa4c5ed34675314a409d29100a4
SHA1 5c18792f1645441368c9fb897b5714ce64f0b8e3
SHA256 39b16642053768bfaf131ac8294981059b0f18b6da8e382af0417f0052b3aa2a
SHA512 2e32db2eef2e41a72b5dc404258b49184f11a56aded7b836d0f157b9cd5fd1d6f312f26446ad900bff5e7198c00a67682a3857c45dba429cf145674919ddeb37

memory/3168-1070-0x0000000002610000-0x000000000299B000-memory.dmp

memory/3168-1073-0x00000000029A0000-0x0000000002E82000-memory.dmp

memory/3168-1099-0x0000000000400000-0x00000000008EE000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4240-1133-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2888-1141-0x0000000000000000-mapping.dmp

memory/4240-1143-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2392-1148-0x0000000000000000-mapping.dmp

memory/3168-1163-0x00000000029A0000-0x0000000002E82000-memory.dmp

memory/3168-1172-0x0000000002610000-0x000000000299B000-memory.dmp

memory/3168-1173-0x0000000000400000-0x00000000008EE000-memory.dmp

memory/5088-1174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

MD5 674cec24e36e0dfaec6290db96dda86e
SHA1 581e3a7a541cc04641e751fc850d92e07236681f
SHA256 de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA512 6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

MD5 674cec24e36e0dfaec6290db96dda86e
SHA1 581e3a7a541cc04641e751fc850d92e07236681f
SHA256 de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA512 6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

MD5 e82d5972f368fb0822d0e3faccfc6f91
SHA1 0074fcfde338469bcfa19af0b5104bae31c70530
SHA256 2258e60f006a44a85e447fb458548078618c550a5f2eb64610fa3737e934e2c6
SHA512 9da0fdd7ae1d56b6532ffed293462092520e7362f5b70809a48d6c5ac38f06b7c7a68a8b03d094d2aaa3ae95669cbdc9232c3030fcab19069c618f6d14ab99a1

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1560-1268-0x0000000000000000-mapping.dmp

memory/3168-1274-0x0000000000400000-0x00000000008EE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\Weheooup.dll

MD5 d6608f5c2723a336152a58e9eeaff486
SHA1 8c5d47e3b9a769a591acb0dd11e583b56cee887b
SHA256 8396bbfef695cb469fefec8af0681b1530305cc28b297a24ca6224675507cd6a
SHA512 d80c282fb75e6637ed8d9e0bd0d55cc0be059426f626e59cea6f9930188991518f786c985b7f6618936df182ab7dd8a372e451958e61c4c95b0daa8891885758

\Users\Admin\AppData\Local\Temp\Weheooup.dll

MD5 d6608f5c2723a336152a58e9eeaff486
SHA1 8c5d47e3b9a769a591acb0dd11e583b56cee887b
SHA256 8396bbfef695cb469fefec8af0681b1530305cc28b297a24ca6224675507cd6a
SHA512 d80c282fb75e6637ed8d9e0bd0d55cc0be059426f626e59cea6f9930188991518f786c985b7f6618936df182ab7dd8a372e451958e61c4c95b0daa8891885758

\Users\Admin\AppData\Local\Temp\Weheooup.dll

MD5 d6608f5c2723a336152a58e9eeaff486
SHA1 8c5d47e3b9a769a591acb0dd11e583b56cee887b
SHA256 8396bbfef695cb469fefec8af0681b1530305cc28b297a24ca6224675507cd6a
SHA512 d80c282fb75e6637ed8d9e0bd0d55cc0be059426f626e59cea6f9930188991518f786c985b7f6618936df182ab7dd8a372e451958e61c4c95b0daa8891885758

memory/1560-1352-0x0000000004480000-0x00000000048CD000-memory.dmp

memory/1548-1365-0x0000000000000000-mapping.dmp