Malware Analysis Report

2024-10-23 17:30

Sample ID 221129-mnj3vsba82
Target fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361
SHA256 fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361
Tags
amadey djvu smokeloader vidar 517 backdoor collection discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361

Threat Level: Known bad

The file fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361 was found to be: Known bad.

Malicious Activity Summary

amadey djvu smokeloader vidar 517 backdoor collection discovery persistence ransomware spyware stealer trojan

Amadey

SmokeLoader

Djvu Ransomware

Detects Smokeloader packer

Detected Djvu ransomware

Vidar

Detect Amadey credential stealer module

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Reads local data of messenger clients

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Accesses 2FA software files, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

outlook_office_path

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

outlook_win_path

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-29 10:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-29 10:36

Reported

2022-11-29 10:39

Platform

win10-20220901-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe"

Signatures

Amadey

trojan amadey

Detect Amadey credential stealer module

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d3e350ad-f19e-4dfe-ace0-06a07f3d4661\\A60.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A60.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks_powershell = "Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\socks5-clean.ps1\"" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2119.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2F53.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2F53.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1C45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2F53.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1C45.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1C45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\28CA.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\28CA.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\28CA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000007d55e254100054656d7000003a0009000400efbe2155a8847d55e2542e0000000000000000000000000000000000000000000000000048781701540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28CA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2F53.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 2364 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 2364 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 2364 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\Temp\F91.exe
PID 2364 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\Temp\F91.exe
PID 2364 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\Temp\F91.exe
PID 2364 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\13E8.exe
PID 2364 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\13E8.exe
PID 2364 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\13E8.exe
PID 2364 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C45.exe
PID 2364 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C45.exe
PID 2364 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C45.exe
PID 2364 wrote to memory of 756 N/A N/A C:\Users\Admin\AppData\Local\Temp\2119.exe
PID 2364 wrote to memory of 756 N/A N/A C:\Users\Admin\AppData\Local\Temp\2119.exe
PID 2364 wrote to memory of 756 N/A N/A C:\Users\Admin\AppData\Local\Temp\2119.exe
PID 2364 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\28CA.exe
PID 2364 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\28CA.exe
PID 2364 wrote to memory of 4176 N/A N/A C:\Users\Admin\AppData\Local\Temp\28CA.exe
PID 2364 wrote to memory of 2292 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F53.exe
PID 2364 wrote to memory of 2292 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F53.exe
PID 2364 wrote to memory of 2292 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F53.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 4460 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 2348 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\F91.exe C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
PID 2348 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\F91.exe C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
PID 2348 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\F91.exe C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
PID 2364 wrote to memory of 4648 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2364 wrote to memory of 4648 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4648 wrote to memory of 564 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4648 wrote to memory of 564 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4648 wrote to memory of 564 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2364 wrote to memory of 4960 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2364 wrote to memory of 4960 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2364 wrote to memory of 4960 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2364 wrote to memory of 4960 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2364 wrote to memory of 420 N/A N/A C:\Windows\explorer.exe
PID 2364 wrote to memory of 420 N/A N/A C:\Windows\explorer.exe
PID 2364 wrote to memory of 420 N/A N/A C:\Windows\explorer.exe
PID 4616 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4616 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4616 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3884 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Windows\SysWOW64\icacls.exe
PID 3884 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Windows\SysWOW64\icacls.exe
PID 3884 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Windows\SysWOW64\icacls.exe
PID 3884 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 3884 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 3884 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 508 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 508 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 508 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 508 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 508 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 508 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 508 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 508 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe
PID 508 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\A60.exe C:\Users\Admin\AppData\Local\Temp\A60.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe

"C:\Users\Admin\AppData\Local\Temp\fda21e0f5bcb87ffe4380f9f66de833aa4dff21cb03b78362d517df0bebab361.exe"

C:\Users\Admin\AppData\Local\Temp\A60.exe

C:\Users\Admin\AppData\Local\Temp\A60.exe

C:\Users\Admin\AppData\Local\Temp\F91.exe

C:\Users\Admin\AppData\Local\Temp\F91.exe

C:\Users\Admin\AppData\Local\Temp\13E8.exe

C:\Users\Admin\AppData\Local\Temp\13E8.exe

C:\Users\Admin\AppData\Local\Temp\1C45.exe

C:\Users\Admin\AppData\Local\Temp\1C45.exe

C:\Users\Admin\AppData\Local\Temp\2119.exe

C:\Users\Admin\AppData\Local\Temp\2119.exe

C:\Users\Admin\AppData\Local\Temp\28CA.exe

C:\Users\Admin\AppData\Local\Temp\28CA.exe

C:\Users\Admin\AppData\Local\Temp\2F53.exe

C:\Users\Admin\AppData\Local\Temp\2F53.exe

C:\Users\Admin\AppData\Local\Temp\A60.exe

C:\Users\Admin\AppData\Local\Temp\A60.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3937.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3937.dll

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 476

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d3e350ad-f19e-4dfe-ace0-06a07f3d4661" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\A60.exe

"C:\Users\Admin\AppData\Local\Temp\A60.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A60.exe

"C:\Users\Admin\AppData\Local\Temp\A60.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe

"C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe"

C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build3.exe

"C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\DD87.exe

C:\Users\Admin\AppData\Local\Temp\DD87.exe

C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe

"C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe"

C:\Users\Admin\AppData\Local\Temp\F96D.exe

C:\Users\Admin\AppData\Local\Temp\F96D.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll,start

C:\Users\Admin\AppData\Local\Temp\13CC.exe

C:\Users\Admin\AppData\Local\Temp\13CC.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 13724

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 furubujjul.net udp
N/A 91.195.240.101:80 furubujjul.net tcp
N/A 8.8.8.8:53 starvestitibo.org udp
N/A 193.106.191.15:80 starvestitibo.org tcp
N/A 193.56.146.77:80 193.56.146.77 tcp
N/A 8.8.8.8:53 careers-info.com udp
N/A 167.235.4.117:443 careers-info.com tcp
N/A 20.189.173.15:443 tcp
N/A 77.73.131.124:80 77.73.131.124 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 193.56.146.194:80 193.56.146.194 tcp
N/A 193.56.146.194:80 193.56.146.194 tcp
N/A 193.106.191.15:80 starvestitibo.org tcp
N/A 8.8.8.8:53 dowe.at udp
N/A 95.107.163.44:80 dowe.at tcp
N/A 95.107.163.44:80 dowe.at tcp
N/A 95.107.163.44:80 dowe.at tcp
N/A 95.107.163.44:80 dowe.at tcp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 95.107.163.44:80 dowe.at tcp
N/A 123.253.32.170:80 123.253.32.170 tcp
N/A 8.8.8.8:53 uaery.top udp
N/A 8.8.8.8:53 fresherlights.com udp
N/A 211.171.233.129:80 uaery.top tcp
N/A 210.182.29.70:80 fresherlights.com tcp
N/A 210.182.29.70:80 fresherlights.com tcp
N/A 8.8.8.8:53 r3oidsofsios.com udp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 8.8.8.8:53 bitbucket.org udp
N/A 104.192.141.1:443 bitbucket.org tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
N/A 54.231.225.201:443 bbuseruploads.s3.amazonaws.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 8.8.8.8:53 t.me udp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 149.154.167.99:443 t.me tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 62.204.41.252:80 62.204.41.252 tcp
N/A 95.107.163.44:80 uaery.top tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 185.246.221.151:80 r3oidsofsios.com tcp
N/A 95.217.31.208:80 95.217.31.208 tcp
N/A 172.93.193.231:443 172.93.193.231 tcp
N/A 62.204.41.252:80 62.204.41.252 tcp
N/A 192.236.163.13:443 192.236.163.13 tcp
N/A 193.56.146.194:80 193.56.146.194 tcp
N/A 37.220.87.15:4001 tcp
N/A 10.127.0.59:80 tcp
N/A 10.127.0.59:80 tcp
N/A 127.0.0.1:13724 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/2744-120-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-121-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-122-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-123-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-124-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-125-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-126-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-127-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-128-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-129-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-130-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-131-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-132-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-133-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-134-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-135-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-136-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-137-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-138-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-139-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-140-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-142-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-143-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-144-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-145-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-146-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-147-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-148-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-149-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-150-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-151-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-152-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-153-0x0000000000460000-0x00000000005AA000-memory.dmp

memory/2744-154-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/2744-156-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-155-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2744-157-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2744-158-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4460-159-0x0000000000000000-mapping.dmp

memory/4460-161-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-162-0x0000000077660000-0x00000000777EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A60.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/4460-163-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-164-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-165-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-166-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-167-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-169-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-170-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-171-0x0000000077660000-0x00000000777EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A60.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/4460-172-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-173-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-174-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-176-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-175-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2348-178-0x0000000000000000-mapping.dmp

memory/4460-179-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2348-182-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2348-184-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-183-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-185-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-187-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2348-188-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2348-189-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2348-190-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2348-191-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2348-193-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/2348-194-0x0000000077660000-0x00000000777EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F91.exe

MD5 0e4dacc0e38f7e7302000511abd571e7
SHA1 8699e8bc762bd3e04577d4ce887ad60c9c9642ea
SHA256 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d
SHA512 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98

memory/2348-186-0x0000000077660000-0x00000000777EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F91.exe

MD5 0e4dacc0e38f7e7302000511abd571e7
SHA1 8699e8bc762bd3e04577d4ce887ad60c9c9642ea
SHA256 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d
SHA512 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98

memory/4460-180-0x0000000077660000-0x00000000777EE000-memory.dmp

memory/4460-177-0x0000000077660000-0x00000000777EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13E8.exe

MD5 c42d13fbc2efd907113054c91ff86130
SHA1 6dc92133c1410be4d4911b7ae934e8c4a6d050af
SHA256 76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0
SHA512 6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552

memory/1476-196-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\13E8.exe

MD5 c42d13fbc2efd907113054c91ff86130
SHA1 6dc92133c1410be4d4911b7ae934e8c4a6d050af
SHA256 76153e0e8d619392a7b5dd5334cd7900e2fcfac29e23d64489d167321ff9eee0
SHA512 6a5e8c3437638423a7ff354970ea93fd840c1c840843f0c7168ef517e53d63d9712f1972ece0a9c3d0abca7c1e6d2cbbe72fcfaf4296cee9a9b6a83eaeb7a552

memory/3712-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1C45.exe

MD5 095185cffdf3244d073e2d61e08fe095
SHA1 91f42a94235db96c472c95754c169b8ed1a90ecb
SHA256 6928b731080ae4f54c91fdc7bab441c0702b16f173470a6a5199cdadafe0a2a1
SHA512 47b86018ae11b67cb5cabad80784e1a02adab2175305906b40b28282f8be5f22999782beeba0f1ccf219af88acfc5336df095b30d22ef6c94ee0393717bbad23

C:\Users\Admin\AppData\Local\Temp\1C45.exe

MD5 095185cffdf3244d073e2d61e08fe095
SHA1 91f42a94235db96c472c95754c169b8ed1a90ecb
SHA256 6928b731080ae4f54c91fdc7bab441c0702b16f173470a6a5199cdadafe0a2a1
SHA512 47b86018ae11b67cb5cabad80784e1a02adab2175305906b40b28282f8be5f22999782beeba0f1ccf219af88acfc5336df095b30d22ef6c94ee0393717bbad23

memory/756-248-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2119.exe

MD5 26ab12af334137fedf1961a421294abc
SHA1 f96fa14d035e6408d47093a85be5f6224ee250ed
SHA256 dc0c9b8a82e97a0275bae25dff21b46f3e8521a235cf7fea929fe3d2d4609e67
SHA512 c92afc703a810ed694f5d53c2f23225fc90698387ee9ab8d007bd27240a3c694b42517015b331f487c041dff4bd52684bc16f1bbdfe3a7ac5851a7627529ef25

C:\Users\Admin\AppData\Local\Temp\2119.exe

MD5 26ab12af334137fedf1961a421294abc
SHA1 f96fa14d035e6408d47093a85be5f6224ee250ed
SHA256 dc0c9b8a82e97a0275bae25dff21b46f3e8521a235cf7fea929fe3d2d4609e67
SHA512 c92afc703a810ed694f5d53c2f23225fc90698387ee9ab8d007bd27240a3c694b42517015b331f487c041dff4bd52684bc16f1bbdfe3a7ac5851a7627529ef25

memory/2348-278-0x00000000006EA000-0x0000000000709000-memory.dmp

memory/2348-281-0x0000000002070000-0x00000000020AE000-memory.dmp

memory/4176-288-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\28CA.exe

MD5 de3625df6dd5400a7f910d1499bcd140
SHA1 41667d073ac810fec50d61822e600e85759928cf
SHA256 d04a145ec2b45e8119b38a49082a86036929afa9e68e24724d870bce3a296cf9
SHA512 295ad64717417901d9bc0da73186ae07e90caec0946dac5fa4a15f46b3c0b9423776e44d8450fb065b636480f84d9a30f41a9a939d097edad922f9ac7bebb36d

memory/2348-307-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4460-311-0x00000000021D0000-0x00000000022EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\28CA.exe

MD5 de3625df6dd5400a7f910d1499bcd140
SHA1 41667d073ac810fec50d61822e600e85759928cf
SHA256 d04a145ec2b45e8119b38a49082a86036929afa9e68e24724d870bce3a296cf9
SHA512 295ad64717417901d9bc0da73186ae07e90caec0946dac5fa4a15f46b3c0b9423776e44d8450fb065b636480f84d9a30f41a9a939d097edad922f9ac7bebb36d

memory/2292-324-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2F53.exe

MD5 29a373c2434df5c3203864edadf0142e
SHA1 06eeaf59c220156007f491e6d5c158ef8cbe39da
SHA256 278234b6fac8082ce18f4898067337c0933d8b604a90694c8d30e7d7eab23d48
SHA512 2580ecc59623888e9de48a2a3dda5ab6d89d3f8e4f9ba6e0a6e1f8fe6bc9d9bccb2d4f7f6278f362e8bc5993135ed19dad99231f854971cb2a9d5163d7a5cd03

memory/4460-340-0x00000000020D0000-0x000000000216C000-memory.dmp

memory/3884-347-0x0000000000424141-mapping.dmp

memory/3712-345-0x0000000000460000-0x000000000050E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A60.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

C:\Users\Admin\AppData\Local\Temp\2F53.exe

MD5 29a373c2434df5c3203864edadf0142e
SHA1 06eeaf59c220156007f491e6d5c158ef8cbe39da
SHA256 278234b6fac8082ce18f4898067337c0933d8b604a90694c8d30e7d7eab23d48
SHA512 2580ecc59623888e9de48a2a3dda5ab6d89d3f8e4f9ba6e0a6e1f8fe6bc9d9bccb2d4f7f6278f362e8bc5993135ed19dad99231f854971cb2a9d5163d7a5cd03

memory/3712-382-0x0000000000460000-0x000000000050E000-memory.dmp

memory/4648-385-0x0000000000000000-mapping.dmp

memory/2348-393-0x00000000006EA000-0x0000000000709000-memory.dmp

memory/2348-398-0x0000000002070000-0x00000000020AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

MD5 0e4dacc0e38f7e7302000511abd571e7
SHA1 8699e8bc762bd3e04577d4ce887ad60c9c9642ea
SHA256 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d
SHA512 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98

memory/3712-388-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4616-381-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3937.dll

MD5 c5b915ef4725ee4ad0229e053dad05d4
SHA1 032fb4cef8ee63d527e98dadf4cdf94c707e1005
SHA256 7a1505d85c64361dfded962e654d6293bf610cd18a3c2683f2ea24bcf99d61db
SHA512 763abbadec6389c9421730f21217b18fc3136147885c91f04ea236bbe346e250e87589599499c339d502e71d69c85612b0469d00a198eac41dad50f9c33d8603

memory/2348-405-0x0000000000400000-0x0000000000468000-memory.dmp

memory/564-403-0x0000000000000000-mapping.dmp

memory/4960-409-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

MD5 0e4dacc0e38f7e7302000511abd571e7
SHA1 8699e8bc762bd3e04577d4ce887ad60c9c9642ea
SHA256 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d
SHA512 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98

memory/420-438-0x0000000000000000-mapping.dmp

memory/420-463-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/1476-472-0x0000000000550000-0x000000000069A000-memory.dmp

memory/4176-507-0x00000000005B0000-0x00000000006FA000-memory.dmp

memory/4176-513-0x0000000000580000-0x0000000000589000-memory.dmp

memory/1476-534-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3712-529-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4176-545-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3884-571-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\3937.dll

MD5 c5b915ef4725ee4ad0229e053dad05d4
SHA1 032fb4cef8ee63d527e98dadf4cdf94c707e1005
SHA256 7a1505d85c64361dfded962e654d6293bf610cd18a3c2683f2ea24bcf99d61db
SHA512 763abbadec6389c9421730f21217b18fc3136147885c91f04ea236bbe346e250e87589599499c339d502e71d69c85612b0469d00a198eac41dad50f9c33d8603

memory/4616-603-0x00000000007CA000-0x00000000007E9000-memory.dmp

memory/4616-609-0x0000000000470000-0x00000000005BA000-memory.dmp

memory/756-614-0x0000000000530000-0x000000000067A000-memory.dmp

memory/756-618-0x0000000000530000-0x000000000067A000-memory.dmp

memory/756-622-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4616-644-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4960-649-0x0000000000960000-0x00000000009D5000-memory.dmp

memory/4176-662-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2292-669-0x0000000000450000-0x00000000004FE000-memory.dmp

memory/4240-677-0x0000000000000000-mapping.dmp

memory/4960-673-0x00000000008F0000-0x000000000095B000-memory.dmp

memory/2292-703-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4960-723-0x00000000008F0000-0x000000000095B000-memory.dmp

memory/2272-727-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\d3e350ad-f19e-4dfe-ace0-06a07f3d4661\A60.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/508-753-0x0000000000000000-mapping.dmp

memory/3884-755-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A60.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/2292-764-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4616-776-0x00000000007CA000-0x00000000007E9000-memory.dmp

memory/4616-777-0x0000000000470000-0x00000000005BA000-memory.dmp

memory/756-778-0x0000000000530000-0x000000000067A000-memory.dmp

memory/756-779-0x0000000000530000-0x000000000067A000-memory.dmp

memory/756-780-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4616-781-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2224-791-0x0000000000424141-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A60.exe

MD5 48d297bfd2e885dc24ecb4905db4482a
SHA1 208f24f50ae748a002a5497f88abecf0e9f1dc3e
SHA256 e237ff774cc5374a2ca6d281835cc7dcedcc3f9edbe60f9a0cab7432a8349af2
SHA512 e1cc0850bb18cc1bd6116c0472a24b54d694319930cbe0468ee2face51f3890077aa32807d4c33d5efec94fd2b1b1eee3dc0193efb64762587354e047d84fe42

memory/2224-840-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

MD5 0e4dacc0e38f7e7302000511abd571e7
SHA1 8699e8bc762bd3e04577d4ce887ad60c9c9642ea
SHA256 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d
SHA512 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 916c512d221c683beeea9d5cb311b0b0
SHA1 bf0db4b1c4566275b629efb095b6ff8857b5748e
SHA256 64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8
SHA512 af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 76e7d5bf61b2e80d159f88aa9798ce91
SHA1 32a46de50c9c02b068e39cf49b78c7e2d5ace20d
SHA256 280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3
SHA512 5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 17ab924c1cc4a98f0f5567c22192e0ce
SHA1 8d67f49051ab5180109fb4af98daf51298039c94
SHA256 217d0e60d20321bf97c536cb6f9814e01595b716e525612891d23601d0b65be6
SHA512 d762eb93f9fc1f391406e2aaf7c1c76a5f10da5bb258c1faf337edeb400371ebd1da0e7be7f751cc408ff410283f4c0fcfd51b49279714d7623a2a979cdae504

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 ea2a469e20c0d7688427883dbad1d818
SHA1 71a7b2dfe431eab88a447106ccf1347f3e5d846d
SHA256 a67a7b0f3cc790d488f8757dc1cf158cae0615a343a1dbbaacb5dabe94cef2b0
SHA512 9a7e7469f72455887d77c057290aa8c67a840cd532c3b283e2c1a1f6d1d9be21b3b71774a2e106b7b364363edb715cc7e2b5d885d8b92541bd13c1bae095d755

memory/2764-903-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1288-920-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe

MD5 03ddc9dc7312d33ad1c5f6ed2d167645
SHA1 e75de38aee3b0beb5cc91334ecbd8a876c8351a6
SHA256 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708
SHA512 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa

C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe

MD5 03ddc9dc7312d33ad1c5f6ed2d167645
SHA1 e75de38aee3b0beb5cc91334ecbd8a876c8351a6
SHA256 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708
SHA512 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa

memory/4672-945-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4220-981-0x0000000000000000-mapping.dmp

memory/2224-992-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3240-1001-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DD87.exe

MD5 2ad4637157bb4324a9319784d034299f
SHA1 38430d849df78655d80c3c312bd8e78883b28de1
SHA256 e4e3ff86281237394192f1908d9bcc4ff1c1e1f59e77cef52aba86a4eed2cfc4
SHA512 95cf838a4a1a0721538ed60e651e15f437e22f256947a6263bc2fe25fec447b4f37d3c7a490c2e2389da5d514852be1a4082bc84d00374fc0cbd0008a11719e4

C:\Users\Admin\AppData\Local\Temp\DD87.exe

MD5 2ad4637157bb4324a9319784d034299f
SHA1 38430d849df78655d80c3c312bd8e78883b28de1
SHA256 e4e3ff86281237394192f1908d9bcc4ff1c1e1f59e77cef52aba86a4eed2cfc4
SHA512 95cf838a4a1a0721538ed60e651e15f437e22f256947a6263bc2fe25fec447b4f37d3c7a490c2e2389da5d514852be1a4082bc84d00374fc0cbd0008a11719e4

memory/3240-1038-0x00000000025D0000-0x000000000295B000-memory.dmp

memory/1288-1040-0x000000000086A000-0x0000000000896000-memory.dmp

memory/660-1045-0x000000000042353C-mapping.dmp

memory/1288-1043-0x00000000007C0000-0x000000000080B000-memory.dmp

memory/3240-1046-0x0000000002960000-0x0000000002E45000-memory.dmp

C:\Users\Admin\AppData\Local\f33cde91-a80a-45a5-9f70-17788ac062d4\build2.exe

MD5 03ddc9dc7312d33ad1c5f6ed2d167645
SHA1 e75de38aee3b0beb5cc91334ecbd8a876c8351a6
SHA256 60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708
SHA512 9a23eb681563719a6ad9202038a307e842b9a60c16aec2f01ce422feca11ac8d6e1d0e9a30e110e17bec4421121643ac87f075eae8bf127dca2213f7a2c6f1aa

memory/1288-1050-0x000000000086A000-0x0000000000896000-memory.dmp

memory/3092-1090-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F96D.exe

MD5 21eaa1da67a8d9f3b76b4a63a1da1442
SHA1 677a156ca20cabf46fce1085e8743344ce075e9f
SHA256 76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335
SHA512 f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1

memory/3240-1091-0x0000000000400000-0x00000000008F2000-memory.dmp

memory/660-1094-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F96D.exe

MD5 21eaa1da67a8d9f3b76b4a63a1da1442
SHA1 677a156ca20cabf46fce1085e8743344ce075e9f
SHA256 76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335
SHA512 f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1

memory/1916-1178-0x0000000000000000-mapping.dmp

memory/3240-1193-0x0000000002960000-0x0000000002E45000-memory.dmp

memory/3240-1195-0x0000000000400000-0x00000000008F2000-memory.dmp

memory/5016-1203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\13CC.exe

MD5 b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1 f886edefe8980a61b730a998285a3086955cb800
SHA256 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2

C:\Users\Admin\AppData\Local\Temp\13CC.exe

MD5 b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1 f886edefe8980a61b730a998285a3086955cb800
SHA256 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2

memory/1520-1258-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll

MD5 de832ff99a3c41c6648df9f14504e7af
SHA1 d0c19dbfa49f5e8d0de16036704d31d5da5e849c
SHA256 dd180fe11f933cec7a5ec6dc4dc13d848d4de3ece76a06d6d346a33aea95ada5
SHA512 2f39b05dc05694e995438e045fa2979326533d74e099a5ae61eda86b4feac4629f808d131345a2fe82eb4aa2052f71c42b6ab47c2dad8484e3662bbb2fc0fcce

\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll

MD5 de832ff99a3c41c6648df9f14504e7af
SHA1 d0c19dbfa49f5e8d0de16036704d31d5da5e849c
SHA256 dd180fe11f933cec7a5ec6dc4dc13d848d4de3ece76a06d6d346a33aea95ada5
SHA512 2f39b05dc05694e995438e045fa2979326533d74e099a5ae61eda86b4feac4629f808d131345a2fe82eb4aa2052f71c42b6ab47c2dad8484e3662bbb2fc0fcce

memory/660-1297-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3716-1311-0x0000000000000000-mapping.dmp

memory/1916-1327-0x0000000000400000-0x0000000000857000-memory.dmp

memory/4468-1340-0x0000000000000000-mapping.dmp

memory/4884-1343-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

MD5 b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1 f886edefe8980a61b730a998285a3086955cb800
SHA256 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\socks5-clean.ps1

MD5 8e8a2af56c10a83cf0859b9c69b6d6af
SHA1 ec6ddf4db8c8e77c154a039783c11fbfa9be0f1c
SHA256 f6ec97aada7c02f8de0ec4b0859d1cb522b688085ccb5579fd913200b7d9220d
SHA512 c4cd6a1955a9fc9d10f9a4237793b7d3ddf126b26fc15f772609dc5beb70da076a8315160f3f8ff3cae5668506f218eab256d5083fbba210e96f3b4ab2fb5b23

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

MD5 b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1 f886edefe8980a61b730a998285a3086955cb800
SHA256 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2

memory/4468-1360-0x0000000001000000-0x0000000001009000-memory.dmp

memory/4468-1364-0x0000000000DF0000-0x0000000000DFF000-memory.dmp

memory/4168-1373-0x0000000000000000-mapping.dmp

memory/4788-1372-0x0000000000000000-mapping.dmp

memory/1376-1414-0x0000000000000000-mapping.dmp

memory/1376-1436-0x0000000000510000-0x0000000000516000-memory.dmp

memory/1376-1444-0x0000000000500000-0x000000000050C000-memory.dmp

memory/2888-1460-0x0000000000000000-mapping.dmp

memory/5000-1501-0x0000000000000000-mapping.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4532-1547-0x0000000000000000-mapping.dmp

memory/4028-1594-0x0000000000000000-mapping.dmp

memory/3716-1632-0x0000000000D40000-0x0000000000D47000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c2e5f570cd481da902fbecb57fc9abee
SHA1 73d2a074d442ebae9205b0888da59920533d0ce7
SHA256 79ca1a9a0b7e4fa589aec8dcb47f49b250235ce213abeeb1e64e2b6952bd9bd0
SHA512 ab6e4c982868bac0358db936434049f6f7c57acd3337d3f1172c231a0706db38c300013af1285da12f59135d5ff99d99be33383b2d28250fa6ed78a5a57b09e3

memory/4028-1643-0x00000000003F0000-0x00000000003F7000-memory.dmp

memory/4848-1640-0x0000000000000000-mapping.dmp

memory/4028-1654-0x00000000003E0000-0x00000000003ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

MD5 674cec24e36e0dfaec6290db96dda86e
SHA1 581e3a7a541cc04641e751fc850d92e07236681f
SHA256 de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA512 6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

MD5 674cec24e36e0dfaec6290db96dda86e
SHA1 581e3a7a541cc04641e751fc850d92e07236681f
SHA256 de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA512 6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

memory/1460-1722-0x0000000000000000-mapping.dmp

memory/3680-1872-0x0000000000000000-mapping.dmp

memory/1476-1997-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

MD5 0e4dacc0e38f7e7302000511abd571e7
SHA1 8699e8bc762bd3e04577d4ce887ad60c9c9642ea
SHA256 1e481077cb7628976cae627f5030652c16a63f71165377b8a8523d86d1afa92d
SHA512 83b570b0cecbcd7f8e9967a4a64c8746e11ab5da6647815920e1ca0b39f573e11f7fddac9abc3d6d02d5e13e83eb8259553bbe58c93130f2c4a7ceb32ad2ee98

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe

MD5 b6957e4ed8fe1cd100b9b52dfefb9a7a
SHA1 f886edefe8980a61b730a998285a3086955cb800
SHA256 93fa1f55b57510de437b7cd4edd12a59122ab2e9463c866ad6558c470de0950e
SHA512 155bbccd4b94bd3e27ebab872925938c44f958d27cca2ab1ecc02dc777dfcb880491c73ab3618b990015b9bfa33aa1ce58bb78af010a44c94850d5474b9a96e2

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4900-2168-0x0000000000000000-mapping.dmp

memory/2204-2191-0x00007FF6810C5FD0-mapping.dmp