Analysis Overview
SHA256
fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361
Threat Level: Known bad
The file fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361 was found to be: Known bad.
Malicious Activity Summary
Amadey
SmokeLoader
Djvu Ransomware
Detects Smokeloader packer
Detected Djvu ransomware
Vidar
Detect Amadey credential stealer module
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Reads local data of messenger clients
Modifies file permissions
Looks up external IP address via web service
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
outlook_office_path
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
outlook_win_path
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-29 10:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-29 10:36
Reported
2022-11-29 10:39
Platform
win10-20220901-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Amadey
Detect Amadey credential stealer module
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d3e350ad-f19e-4dfe-ace0-06a07f3d4661\\A60.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\A60.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks_powershell = "Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\socks5-clean.ps1\"" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4460 set thread context of 3884 | N/A | C:\Users\Admin\AppData\Local\Temp\A60.exe | C:\Users\Admin\AppData\Local\Temp\A60.exe |
| PID 508 set thread context of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\A60.exe | C:\Users\Admin\AppData\Local\Temp\A60.exe |
| PID 1288 set thread context of 660 | N/A | C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe | C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe |
| PID 1916 set thread context of 2204 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2119.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2F53.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2F53.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1C45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2F53.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1C45.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1C45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\28CA.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\28CA.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\28CA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\system32\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000007d55e254100054656d7000003a0009000400efbe2155a8847d55e2542e0000000000000000000000000000000000000000000000000048781701540065006d007000000014000000 | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1C45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28CA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F53.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe
"C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe"
C:\Users\Admin\AppData\Local\Temp\A60.exe
C:\Users\Admin\AppData\Local\Temp\A60.exe
C:\Users\Admin\AppData\Local\Temp\F91.exe
C:\Users\Admin\AppData\Local\Temp\F91.exe
C:\Users\Admin\AppData\Local\Temp\13E8.exe
C:\Users\Admin\AppData\Local\Temp\13E8.exe
C:\Users\Admin\AppData\Local\Temp\1C45.exe
C:\Users\Admin\AppData\Local\Temp\1C45.exe
C:\Users\Admin\AppData\Local\Temp\2119.exe
C:\Users\Admin\AppData\Local\Temp\2119.exe
C:\Users\Admin\AppData\Local\Temp\28CA.exe
C:\Users\Admin\AppData\Local\Temp\28CA.exe
C:\Users\Admin\AppData\Local\Temp\2F53.exe
C:\Users\Admin\AppData\Local\Temp\2F53.exe
C:\Users\Admin\AppData\Local\Temp\A60.exe
C:\Users\Admin\AppData\Local\Temp\A60.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3937.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3937.dll
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 476
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d3e350ad-f19e-4dfe-ace0-06a07f3d4661" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\A60.exe
"C:\Users\Admin\AppData\Local\Temp\A60.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\A60.exe
"C:\Users\Admin\AppData\Local\Temp\A60.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe
"C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe"
C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build3.exe
"C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\DD87.exe
C:\Users\Admin\AppData\Local\Temp\DD87.exe
C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe
"C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe"
C:\Users\Admin\AppData\Local\Temp\F96D.exe
C:\Users\Admin\AppData\Local\Temp\F96D.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll,start
C:\Users\Admin\AppData\Local\Temp\13CC.exe
C:\Users\Admin\AppData\Local\Temp\13CC.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 13724
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | furubujjul.net | udp |
| N/A | 91.195.240.101:80 | furubujjul.net | tcp |
| N/A | 8.8.8.8:53 | starvestitibo.org | udp |
| N/A | 193.106.191.15:80 | starvestitibo.org | tcp |
| N/A | 193.56.146.77:80 | 193.56.146.77 | tcp |
| N/A | 8.8.8.8:53 | careers-info.com | udp |
| N/A | 167.235.4.117:443 | careers-info.com | tcp |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 77.73.131.124:80 | 77.73.131.124 | tcp |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 193.56.146.194:80 | 193.56.146.194 | tcp |
| N/A | 193.56.146.194:80 | 193.56.146.194 | tcp |
| N/A | 193.106.191.15:80 | starvestitibo.org | tcp |
| N/A | 8.8.8.8:53 | dowe.at | udp |
| N/A | 95.107.163.44:80 | dowe.at | tcp |
| N/A | 95.107.163.44:80 | dowe.at | tcp |
| N/A | 95.107.163.44:80 | dowe.at | tcp |
| N/A | 95.107.163.44:80 | dowe.at | tcp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 95.107.163.44:80 | dowe.at | tcp |
| N/A | 123.253.32.170:80 | 123.253.32.170 | tcp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 8.8.8.8:53 | fresherlights.com | udp |
| N/A | 211.171.233.129:80 | uaery.top | tcp |
| N/A | 210.182.29.70:80 | fresherlights.com | tcp |
| N/A | 210.182.29.70:80 | fresherlights.com | tcp |
| N/A | 8.8.8.8:53 | r3oidsofsios.com | udp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 8.8.8.8:53 | bitbucket.org | udp |
| N/A | 104.192.141.1:443 | bitbucket.org | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| N/A | 54.231.225.201:443 | bbuseruploads.s3.amazonaws.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 62.204.41.252:80 | 62.204.41.252 | tcp |
| N/A | 95.107.163.44:80 | uaery.top | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 185.246.221.151:80 | r3oidsofsios.com | tcp |
| N/A | 95.217.31.208:80 | 95.217.31.208 | tcp |
| N/A | 172.93.193.231:443 | 172.93.193.231 | tcp |
| N/A | 62.204.41.252:80 | 62.204.41.252 | tcp |
| N/A | 192.236.163.13:443 | 192.236.163.13 | tcp |
| N/A | 193.56.146.194:80 | 193.56.146.194 | tcp |
| N/A | 37.220.87.15:4001 | tcp | |
| N/A | 10.127.0.59:80 | tcp | |
| N/A | 10.127.0.59:80 | tcp | |
| N/A | 127.0.0.1:13724 | tcp | |
| N/A | 127.0.0.1:1312 | tcp |
Files
memory/2744-120-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-121-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-122-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-123-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-124-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-125-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-126-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-127-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-128-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-129-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-130-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-131-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-132-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-133-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-134-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-135-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-136-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-137-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-138-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-139-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-140-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-142-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-143-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-144-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-145-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-146-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-147-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-148-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-149-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-150-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-151-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-152-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-153-0x0000000000460000-0x00000000005AA000-memory.dmp
memory/2744-154-0x00000000001E0000-0x00000000001E9000-memory.dmp
memory/2744-156-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-155-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2744-157-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2744-158-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4460-159-0x0000000000000000-mapping.dmp
memory/4460-161-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-162-0x0000000077660000-0x00000000777EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A60.exe
| MD5 | 48d297bfd2e885dc24ecb4905db4482a |
| SHA1 | 208f24f50ae748a002a5497f88abecf0e9f1dc3e |
| SHA256 | e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2 |
| SHA512 | e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42 |
memory/4460-163-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-164-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-165-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-166-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-167-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-169-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-170-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-171-0x0000000077660000-0x00000000777EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A60.exe
| MD5 | 48d297bfd2e885dc24ecb4905db4482a |
| SHA1 | 208f24f50ae748a002a5497f88abecf0e9f1dc3e |
| SHA256 | e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2 |
| SHA512 | e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42 |
memory/4460-172-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-173-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-174-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-176-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-175-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2348-178-0x0000000000000000-mapping.dmp
memory/4460-179-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2348-182-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2348-184-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-183-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-185-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-187-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2348-188-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2348-189-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2348-190-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2348-191-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2348-193-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/2348-194-0x0000000077660000-0x00000000777EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F91.exe
| MD5 | 0e4dacc0e38f7e7302000511abd571e7 |
| SHA1 | 8699e8bc762bd3e04577d4ce887ad60c9c9642ea |
| SHA256 | 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d |
| SHA512 | 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98 |
memory/2348-186-0x0000000077660000-0x00000000777EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F91.exe
| MD5 | 0e4dacc0e38f7e7302000511abd571e7 |
| SHA1 | 8699e8bc762bd3e04577d4ce887ad60c9c9642ea |
| SHA256 | 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d |
| SHA512 | 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98 |
memory/4460-180-0x0000000077660000-0x00000000777EE000-memory.dmp
memory/4460-177-0x0000000077660000-0x00000000777EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\13E8.exe
| MD5 | c42d13fbc2efd907113054c91ff86130 |
| SHA1 | 6dc92133c1410be4d4911b7ae934e8c4a6d050af |
| SHA256 | 76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0 |
| SHA512 | 6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552 |
memory/1476-196-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\13E8.exe
| MD5 | c42d13fbc2efd907113054c91ff86130 |
| SHA1 | 6dc92133c1410be4d4911b7ae934e8c4a6d050af |
| SHA256 | 76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0 |
| SHA512 | 6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552 |
memory/3712-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1C45.exe
| MD5 | 095185cffdf3244d073e2d61e08fe095 |
| SHA1 | 91f42a94235db96c472c95754c169b8ed1a90ecb |
| SHA256 | 6928b731080ae4f54c91fdc7bab441c0702b16f173470a6a5199cdadafe0a2a1 |
| SHA512 | 47b86018ae11b67cb5cabad80784e1a02adab2175305906b40b28282f8be5f22999782beeba0f1ccf219af88acfc5336df095b30d22ef6c94ee0393717bbad23 |
C:\Users\Admin\AppData\Local\Temp\1C45.exe
| MD5 | 095185cffdf3244d073e2d61e08fe095 |
| SHA1 | 91f42a94235db96c472c95754c169b8ed1a90ecb |
| SHA256 | 6928b731080ae4f54c91fdc7bab441c0702b16f173470a6a5199cdadafe0a2a1 |
| SHA512 | 47b86018ae11b67cb5cabad80784e1a02adab2175305906b40b28282f8be5f22999782beeba0f1ccf219af88acfc5336df095b30d22ef6c94ee0393717bbad23 |
memory/756-248-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2119.exe
| MD5 | 26ab12af334137fedf1961a421294abc |
| SHA1 | f96fa14d035e6408d47093a85be5f6224ee250ed |
| SHA256 | dc0c9b8a82e97a0275bae25dff21b46f3e8521a235cf7fea929fe3d2d4609e67 |
| SHA512 | c92afc703a810ed694f5d53c2f23225fc90698387ee9ab8d007bd27240a3c694b42517015b331f487c041dff4bd52684bc16f1bbdfe3a7ac5851a7627529ef25 |
C:\Users\Admin\AppData\Local\Temp\2119.exe
| MD5 | 26ab12af334137fedf1961a421294abc |
| SHA1 | f96fa14d035e6408d47093a85be5f6224ee250ed |
| SHA256 | dc0c9b8a82e97a0275bae25dff21b46f3e8521a235cf7fea929fe3d2d4609e67 |
| SHA512 | c92afc703a810ed694f5d53c2f23225fc90698387ee9ab8d007bd27240a3c694b42517015b331f487c041dff4bd52684bc16f1bbdfe3a7ac5851a7627529ef25 |
memory/2348-278-0x00000000006EA000-0x0000000000709000-memory.dmp
memory/2348-281-0x0000000002070000-0x00000000020AE000-memory.dmp
memory/4176-288-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\28CA.exe
| MD5 | de3625df6dd5400a7f910d1499bcd140 |
| SHA1 | 41667d073ac810fec50d61822e600e85759928cf |
| SHA256 | d04a145ec2b45e8119b38a49082a86036929afa9e68e24724d870bce3a296cf9 |
| SHA512 | 295ad64717417901d9bc0da73186ae07e90caec0946dac5fa4a15f46b3c0b9423776e44d8450fb065b636480f84d9a30f41a9a939d097edad922f9ac7bebb36d |
memory/2348-307-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4460-311-0x00000000021D0000-0x00000000022EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\28CA.exe
| MD5 | de3625df6dd5400a7f910d1499bcd140 |
| SHA1 | 41667d073ac810fec50d61822e600e85759928cf |
| SHA256 | d04a145ec2b45e8119b38a49082a86036929afa9e68e24724d870bce3a296cf9 |
| SHA512 | 295ad64717417901d9bc0da73186ae07e90caec0946dac5fa4a15f46b3c0b9423776e44d8450fb065b636480f84d9a30f41a9a939d097edad922f9ac7bebb36d |
memory/2292-324-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2F53.exe
| MD5 | 29a373c2434df5c3203864edadf0142e |
| SHA1 | 06eeaf59c220156007f491e6d5c158ef8cbe39da |
| SHA256 | 278234b6fac8082ce18f4898067337c0933d8b604a90694c8d30e7d7eab23d48 |
| SHA512 | 2580ecc59623888e9de48a2a3dda5ab6d89d3f8e4f9ba6e0a6e1f8fe6bc9d9bccb2d4f7f6278f362e8bc5993135ed19dad99231f854971cb2a9d5163d7a5cd03 |
memory/4460-340-0x00000000020D0000-0x000000000216C000-memory.dmp
memory/3884-347-0x0000000000424141-mapping.dmp
memory/3712-345-0x0000000000460000-0x000000000050E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A60.exe
| MD5 | 48d297bfd2e885dc24ecb4905db4482a |
| SHA1 | 208f24f50ae748a002a5497f88abecf0e9f1dc3e |
| SHA256 | e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2 |
| SHA512 | e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42 |
C:\Users\Admin\AppData\Local\Temp\2F53.exe
| MD5 | 29a373c2434df5c3203864edadf0142e |
| SHA1 | 06eeaf59c220156007f491e6d5c158ef8cbe39da |
| SHA256 | 278234b6fac8082ce18f4898067337c0933d8b604a90694c8d30e7d7eab23d48 |
| SHA512 | 2580ecc59623888e9de48a2a3dda5ab6d89d3f8e4f9ba6e0a6e1f8fe6bc9d9bccb2d4f7f6278f362e8bc5993135ed19dad99231f854971cb2a9d5163d7a5cd03 |
memory/3712-382-0x0000000000460000-0x000000000050E000-memory.dmp
memory/4648-385-0x0000000000000000-mapping.dmp
memory/2348-393-0x00000000006EA000-0x0000000000709000-memory.dmp
memory/2348-398-0x0000000002070000-0x00000000020AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
| MD5 | 0e4dacc0e38f7e7302000511abd571e7 |
| SHA1 | 8699e8bc762bd3e04577d4ce887ad60c9c9642ea |
| SHA256 | 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d |
| SHA512 | 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98 |
memory/3712-388-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4616-381-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3937.dll
| MD5 | c5b915ef4725ee4ad0229e053dad05d4 |
| SHA1 | 032fb4cef8ee63d527e98dadf4cdf94c707e1005 |
| SHA256 | 7a1505d85c64361dfded962e654d6293bf610cd18a3c2683f2ea24bcf99d61db |
| SHA512 | 763abbadec6389c9421730f21217b18fc3136147885c91f04ea236bbe346e250e87589599499c339d502e71d69c85612b0469d00a198eac41dad50f9c33d8603 |
memory/2348-405-0x0000000000400000-0x0000000000468000-memory.dmp
memory/564-403-0x0000000000000000-mapping.dmp
memory/4960-409-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
| MD5 | 0e4dacc0e38f7e7302000511abd571e7 |
| SHA1 | 8699e8bc762bd3e04577d4ce887ad60c9c9642ea |
| SHA256 | 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d |
| SHA512 | 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98 |
memory/420-438-0x0000000000000000-mapping.dmp
memory/420-463-0x00000000003F0000-0x00000000003FC000-memory.dmp
memory/1476-472-0x0000000000550000-0x000000000069A000-memory.dmp
memory/4176-507-0x00000000005B0000-0x00000000006FA000-memory.dmp
memory/4176-513-0x0000000000580000-0x0000000000589000-memory.dmp
memory/1476-534-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3712-529-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4176-545-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3884-571-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\3937.dll
| MD5 | c5b915ef4725ee4ad0229e053dad05d4 |
| SHA1 | 032fb4cef8ee63d527e98dadf4cdf94c707e1005 |
| SHA256 | 7a1505d85c64361dfded962e654d6293bf610cd18a3c2683f2ea24bcf99d61db |
| SHA512 | 763abbadec6389c9421730f21217b18fc3136147885c91f04ea236bbe346e250e87589599499c339d502e71d69c85612b0469d00a198eac41dad50f9c33d8603 |
memory/4616-603-0x00000000007CA000-0x00000000007E9000-memory.dmp
memory/4616-609-0x0000000000470000-0x00000000005BA000-memory.dmp
memory/756-614-0x0000000000530000-0x000000000067A000-memory.dmp
memory/756-618-0x0000000000530000-0x000000000067A000-memory.dmp
memory/756-622-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4616-644-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4960-649-0x0000000000960000-0x00000000009D5000-memory.dmp
memory/4176-662-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2292-669-0x0000000000450000-0x00000000004FE000-memory.dmp
memory/4240-677-0x0000000000000000-mapping.dmp
memory/4960-673-0x00000000008F0000-0x000000000095B000-memory.dmp
memory/2292-703-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4960-723-0x00000000008F0000-0x000000000095B000-memory.dmp
memory/2272-727-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\d3e350ad-f19e-4dfe-ace0-06a07f3d4661\A60.exe
| MD5 | 48d297bfd2e885dc24ecb4905db4482a |
| SHA1 | 208f24f50ae748a002a5497f88abecf0e9f1dc3e |
| SHA256 | e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2 |
| SHA512 | e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42 |
memory/508-753-0x0000000000000000-mapping.dmp
memory/3884-755-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A60.exe
| MD5 | 48d297bfd2e885dc24ecb4905db4482a |
| SHA1 | 208f24f50ae748a002a5497f88abecf0e9f1dc3e |
| SHA256 | e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2 |
| SHA512 | e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42 |
memory/2292-764-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4616-776-0x00000000007CA000-0x00000000007E9000-memory.dmp
memory/4616-777-0x0000000000470000-0x00000000005BA000-memory.dmp
memory/756-778-0x0000000000530000-0x000000000067A000-memory.dmp
memory/756-779-0x0000000000530000-0x000000000067A000-memory.dmp
memory/756-780-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4616-781-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2224-791-0x0000000000424141-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\A60.exe
| MD5 | 48d297bfd2e885dc24ecb4905db4482a |
| SHA1 | 208f24f50ae748a002a5497f88abecf0e9f1dc3e |
| SHA256 | e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2 |
| SHA512 | e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42 |
memory/2224-840-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
| MD5 | 0e4dacc0e38f7e7302000511abd571e7 |
| SHA1 | 8699e8bc762bd3e04577d4ce887ad60c9c9642ea |
| SHA256 | 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d |
| SHA512 | 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 916c512d221c683beeea9d5cb311b0b0 |
| SHA1 | bf0db4b1c4566275b629efb095b6ff8857b5748e |
| SHA256 | 64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8 |
| SHA512 | af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 76e7d5bf61b2e80d159f88aa9798ce91 |
| SHA1 | 32a46de50c9c02b068e39cf49b78c7e2d5ace20d |
| SHA256 | 280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3 |
| SHA512 | 5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 17ab924c1cc4a98f0f5567c22192e0ce |
| SHA1 | 8d67f49051ab5180109fb4af98daf51298039c94 |
| SHA256 | 217d0e60d20321bf97c536cb6f9814e01595b716e525612891d23601d0b65be6 |
| SHA512 | d762eb93f9fc1f391406e2aaf7c1c76a5f10da5bb258c1faf337edeb400371ebd1da0e7be7f751cc408ff410283f4c0fcfd51b49279714d7623a2a979cdae504 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | ea2a469e20c0d7688427883dbad1d818 |
| SHA1 | 71a7b2dfe431eab88a447106ccf1347f3e5d846d |
| SHA256 | a67a7b0f3cc790d488f8757dc1cf158cae0615a343a1dbbaacb5dabe94cef2b0 |
| SHA512 | 9a7e7469f72455887d77c057290aa8c67a840cd532c3b283e2c1a1f6d1d9be21b3b71774a2e106b7b364363edb715cc7e2b5d885d8b92541bd13c1bae095d755 |
memory/2764-903-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1288-920-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe
| MD5 | 03ddc9dc7312d33ad1c5f6ed2d167645 |
| SHA1 | e75de38aee3b0beb5cc91334ecbd8a876c8351a6 |
| SHA256 | 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708 |
| SHA512 | 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa |
C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe
| MD5 | 03ddc9dc7312d33ad1c5f6ed2d167645 |
| SHA1 | e75de38aee3b0beb5cc91334ecbd8a876c8351a6 |
| SHA256 | 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708 |
| SHA512 | 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa |
memory/4672-945-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4220-981-0x0000000000000000-mapping.dmp
memory/2224-992-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3240-1001-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DD87.exe
| MD5 | 2ad4637157bb4324a9319784d034299f |
| SHA1 | 38430d849df78655d80c3c312bd8e78883b28de1 |
| SHA256 | e4e3ff86281237394192f1908d9bcc4ff1c1e1f59e77cef52aba86a4eed2cfc4 |
| SHA512 | 95cf838a4a1a0721538ed60e651e15f437e22f256947a6263bc2fe25fec447b4f37d3c7a490c2e2389da5d514852be1a4082bc84d00374fc0cbd0008a11719e4 |
C:\Users\Admin\AppData\Local\Temp\DD87.exe
| MD5 | 2ad4637157bb4324a9319784d034299f |
| SHA1 | 38430d849df78655d80c3c312bd8e78883b28de1 |
| SHA256 | e4e3ff86281237394192f1908d9bcc4ff1c1e1f59e77cef52aba86a4eed2cfc4 |
| SHA512 | 95cf838a4a1a0721538ed60e651e15f437e22f256947a6263bc2fe25fec447b4f37d3c7a490c2e2389da5d514852be1a4082bc84d00374fc0cbd0008a11719e4 |
memory/3240-1038-0x00000000025D0000-0x000000000295B000-memory.dmp
memory/1288-1040-0x000000000086A000-0x0000000000896000-memory.dmp
memory/660-1045-0x000000000042353C-mapping.dmp
memory/1288-1043-0x00000000007C0000-0x000000000080B000-memory.dmp
memory/3240-1046-0x0000000002960000-0x0000000002E45000-memory.dmp
C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe
| MD5 | 03ddc9dc7312d33ad1c5f6ed2d167645 |
| SHA1 | e75de38aee3b0beb5cc91334ecbd8a876c8351a6 |
| SHA256 | 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708 |
| SHA512 | 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa |
memory/1288-1050-0x000000000086A000-0x0000000000896000-memory.dmp
memory/3092-1090-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F96D.exe
| MD5 | 21eaa1da67a8d9f3b76b4a63a1da1442 |
| SHA1 | 677a156ca20cabf46fce1085e8743344ce075e9f |
| SHA256 | 76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335 |
| SHA512 | f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1 |
memory/3240-1091-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/660-1094-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F96D.exe
| MD5 | 21eaa1da67a8d9f3b76b4a63a1da1442 |
| SHA1 | 677a156ca20cabf46fce1085e8743344ce075e9f |
| SHA256 | 76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335 |
| SHA512 | f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1 |
memory/1916-1178-0x0000000000000000-mapping.dmp
memory/3240-1193-0x0000000002960000-0x0000000002E45000-memory.dmp
memory/3240-1195-0x0000000000400000-0x00000000008F2000-memory.dmp
memory/5016-1203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\13CC.exe
| MD5 | b6957e4ed8fe1cd100b9b52dfefb9a7a |
| SHA1 | f886edefe8980a61b730a998285a3086955cb800 |
| SHA256 | 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e |
| SHA512 | 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2 |
C:\Users\Admin\AppData\Local\Temp\13CC.exe
| MD5 | b6957e4ed8fe1cd100b9b52dfefb9a7a |
| SHA1 | f886edefe8980a61b730a998285a3086955cb800 |
| SHA256 | 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e |
| SHA512 | 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2 |
memory/1520-1258-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll
| MD5 | de832ff99a3c41c6648df9f14504e7af |
| SHA1 | d0c19dbfa49f5e8d0de16036704d31d5da5e849c |
| SHA256 | dd180fe11f933cec7a5ec6dc4dc13d848d4de3ece76a06d6d346a33aea95ada5 |
| SHA512 | 2f39b05dc05694e995438e045fa2979326533d74e099a5ae61eda86b4feac4629f808d131345a2fe82eb4aa2052f71c42b6ab47c2dad8484e3662bbb2fc0fcce |
\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll
| MD5 | de832ff99a3c41c6648df9f14504e7af |
| SHA1 | d0c19dbfa49f5e8d0de16036704d31d5da5e849c |
| SHA256 | dd180fe11f933cec7a5ec6dc4dc13d848d4de3ece76a06d6d346a33aea95ada5 |
| SHA512 | 2f39b05dc05694e995438e045fa2979326533d74e099a5ae61eda86b4feac4629f808d131345a2fe82eb4aa2052f71c42b6ab47c2dad8484e3662bbb2fc0fcce |
memory/660-1297-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3716-1311-0x0000000000000000-mapping.dmp
memory/1916-1327-0x0000000000400000-0x0000000000857000-memory.dmp
memory/4468-1340-0x0000000000000000-mapping.dmp
memory/4884-1343-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
| MD5 | b6957e4ed8fe1cd100b9b52dfefb9a7a |
| SHA1 | f886edefe8980a61b730a998285a3086955cb800 |
| SHA256 | 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e |
| SHA512 | 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socks5-clean.ps1
| MD5 | 8e8a2af56c10a83cf0859b9c69b6d6af |
| SHA1 | ec6ddf4db8c8e77c154a039783c11fbfa9be0f1c |
| SHA256 | f6ec97aada7c02f8de0ec4b0859d1cb522b688085ccb5579fd913200b7d9220d |
| SHA512 | c4cd6a1955a9fc9d10f9a4237793b7d3ddf126b26fc15f772609dc5beb70da076a8315160f3f8ff3cae5668506f218eab256d5083fbba210e96f3b4ab2fb5b23 |
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
| MD5 | b6957e4ed8fe1cd100b9b52dfefb9a7a |
| SHA1 | f886edefe8980a61b730a998285a3086955cb800 |
| SHA256 | 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e |
| SHA512 | 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2 |
memory/4468-1360-0x0000000001000000-0x0000000001009000-memory.dmp
memory/4468-1364-0x0000000000DF0000-0x0000000000DFF000-memory.dmp
memory/4168-1373-0x0000000000000000-mapping.dmp
memory/4788-1372-0x0000000000000000-mapping.dmp
memory/1376-1414-0x0000000000000000-mapping.dmp
memory/1376-1436-0x0000000000510000-0x0000000000516000-memory.dmp
memory/1376-1444-0x0000000000500000-0x000000000050C000-memory.dmp
memory/2888-1460-0x0000000000000000-mapping.dmp
memory/5000-1501-0x0000000000000000-mapping.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4532-1547-0x0000000000000000-mapping.dmp
memory/4028-1594-0x0000000000000000-mapping.dmp
memory/3716-1632-0x0000000000D40000-0x0000000000D47000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c2e5f570cd481da902fbecb57fc9abee |
| SHA1 | 73d2a074d442ebae9205b0888da59920533d0ce7 |
| SHA256 | 79ca1a9a0b7e4fa589aec8dcb47f49b250235ce213abeeb1e64e2b6952bd9bd0 |
| SHA512 | ab6e4c982868bac0358db936434049f6f7c57acd3337d3f1172c231a0706db38c300013af1285da12f59135d5ff99d99be33383b2d28250fa6ed78a5a57b09e3 |
memory/4028-1643-0x00000000003F0000-0x00000000003F7000-memory.dmp
memory/4848-1640-0x0000000000000000-mapping.dmp
memory/4028-1654-0x00000000003E0000-0x00000000003ED000-memory.dmp
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
| MD5 | 674cec24e36e0dfaec6290db96dda86e |
| SHA1 | 581e3a7a541cc04641e751fc850d92e07236681f |
| SHA256 | de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded |
| SHA512 | 6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029 |
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
| MD5 | 674cec24e36e0dfaec6290db96dda86e |
| SHA1 | 581e3a7a541cc04641e751fc850d92e07236681f |
| SHA256 | de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded |
| SHA512 | 6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029 |
memory/1460-1722-0x0000000000000000-mapping.dmp
memory/3680-1872-0x0000000000000000-mapping.dmp
memory/1476-1997-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
| MD5 | 0e4dacc0e38f7e7302000511abd571e7 |
| SHA1 | 8699e8bc762bd3e04577d4ce887ad60c9c9642ea |
| SHA256 | 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d |
| SHA512 | 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98 |
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
| MD5 | b6957e4ed8fe1cd100b9b52dfefb9a7a |
| SHA1 | f886edefe8980a61b730a998285a3086955cb800 |
| SHA256 | 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e |
| SHA512 | 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4900-2168-0x0000000000000000-mapping.dmp
memory/2204-2191-0x00007FF6810C5FD0-mapping.dmp