Malware Analysis Report

2025-05-28 14:51

Sample ID 221219-lar1wahf9z
Target f2c597e9fa52dd47f91af87220519dac.exe
SHA256 8324652e63748551690a637f91239ec267f614b86702d107a663cbf7e7c98a74
Tags
smokeloader backdoor trojan amadey danabot djvu redline mario23_10 banker collection discovery infostealer persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8324652e63748551690a637f91239ec267f614b86702d107a663cbf7e7c98a74

Threat Level: Known bad

The file f2c597e9fa52dd47f91af87220519dac.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan amadey danabot djvu redline mario23_10 banker collection discovery infostealer persistence ransomware spyware stealer

Amadey

Detect Amadey credential stealer module

RedLine

Detected Djvu ransomware

Danabot

RedLine payload

SmokeLoader

Detects Smokeloader packer

Djvu Ransomware

Downloads MZ/PE file

Executes dropped EXE

Blocklisted process makes network request

Reads local data of messenger clients

Modifies file permissions

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

Modifies registry class

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

outlook_office_path

outlook_win_path

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-19 09:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-19 09:20

Reported

2022-12-19 09:22

Platform

win7-20221111-en

Max time kernel

150s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe

"C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe"

Network

N/A

Files

memory/2028-54-0x00000000004E8000-0x00000000004F9000-memory.dmp

memory/2028-55-0x00000000767B1000-0x00000000767B3000-memory.dmp

memory/2028-57-0x00000000002A0000-0x00000000002A9000-memory.dmp

memory/2028-56-0x00000000004E8000-0x00000000004F9000-memory.dmp

memory/2028-58-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2028-59-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1276-60-0x000007FEF67D0000-0x000007FEF6913000-memory.dmp

memory/1276-61-0x000007FEB2B90000-0x000007FEB2B9A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-19 09:20

Reported

2022-12-19 09:22

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe"

Signatures

Amadey

trojan amadey

Danabot

trojan banker danabot

Detect Amadey credential stealer module

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C75C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C75C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D2E9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D51C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000013051\\linda5.exe" C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\df3ca667-9fb7-402b-aeb9-377dab3f93e5\\C75C.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C75C.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\joker.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014051\\joker.exe" C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CC7E.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CC7E.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CC7E.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355ac52100054656d7000003a0009000400efbe0c55ec989355af522e000000000000000000000000000000000000000000000000009d73d700540065006d007000000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7E.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 812 N/A N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 760 wrote to memory of 812 N/A N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 760 wrote to memory of 812 N/A N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 760 wrote to memory of 1840 N/A N/A C:\Users\Admin\AppData\Local\Temp\C857.exe
PID 760 wrote to memory of 1840 N/A N/A C:\Users\Admin\AppData\Local\Temp\C857.exe
PID 760 wrote to memory of 1840 N/A N/A C:\Users\Admin\AppData\Local\Temp\C857.exe
PID 1840 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\C857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1840 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\C857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1840 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\C857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1840 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\C857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1840 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\C857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 760 wrote to memory of 1804 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7E.exe
PID 760 wrote to memory of 1804 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7E.exe
PID 760 wrote to memory of 1804 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7E.exe
PID 760 wrote to memory of 3152 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF3E.exe
PID 760 wrote to memory of 3152 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF3E.exe
PID 760 wrote to memory of 3152 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF3E.exe
PID 760 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\Temp\D2E9.exe
PID 760 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\Temp\D2E9.exe
PID 760 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\Temp\D2E9.exe
PID 760 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\Temp\D51C.exe
PID 760 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\Temp\D51C.exe
PID 760 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\Temp\D51C.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 760 wrote to memory of 4568 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 760 wrote to memory of 4568 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 760 wrote to memory of 4568 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 760 wrote to memory of 4568 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1820 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\D2E9.exe C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
PID 1820 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\D2E9.exe C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
PID 1820 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\D2E9.exe C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 3520 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\D51C.exe C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
PID 3520 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\D51C.exe C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
PID 3520 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\D51C.exe C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
PID 3460 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe C:\Windows\SysWOW64\schtasks.exe
PID 3460 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe C:\Windows\SysWOW64\schtasks.exe
PID 3460 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe C:\Windows\SysWOW64\schtasks.exe
PID 760 wrote to memory of 1072 N/A N/A C:\Windows\explorer.exe
PID 760 wrote to memory of 1072 N/A N/A C:\Windows\explorer.exe
PID 760 wrote to memory of 1072 N/A N/A C:\Windows\explorer.exe
PID 3460 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe
PID 3460 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe
PID 3460 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe
PID 4612 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Windows\SysWOW64\icacls.exe
PID 4612 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Windows\SysWOW64\icacls.exe
PID 4612 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Windows\SysWOW64\icacls.exe
PID 3460 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe
PID 3460 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe
PID 3460 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe
PID 4612 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 4612 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 4612 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\C75C.exe C:\Users\Admin\AppData\Local\Temp\C75C.exe
PID 4136 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe C:\Windows\SysWOW64\control.exe
PID 4136 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe C:\Windows\SysWOW64\control.exe
PID 4136 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe C:\Windows\SysWOW64\control.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe

"C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe"

C:\Users\Admin\AppData\Local\Temp\C75C.exe

C:\Users\Admin\AppData\Local\Temp\C75C.exe

C:\Users\Admin\AppData\Local\Temp\C857.exe

C:\Users\Admin\AppData\Local\Temp\C857.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1840 -ip 1840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 292

C:\Users\Admin\AppData\Local\Temp\CC7E.exe

C:\Users\Admin\AppData\Local\Temp\CC7E.exe

C:\Users\Admin\AppData\Local\Temp\CF3E.exe

C:\Users\Admin\AppData\Local\Temp\CF3E.exe

C:\Users\Admin\AppData\Local\Temp\D2E9.exe

C:\Users\Admin\AppData\Local\Temp\D2E9.exe

C:\Users\Admin\AppData\Local\Temp\D51C.exe

C:\Users\Admin\AppData\Local\Temp\D51C.exe

C:\Users\Admin\AppData\Local\Temp\C75C.exe

C:\Users\Admin\AppData\Local\Temp\C75C.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

"C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

"C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe" /F

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3152 -ip 3152

C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe

"C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 340

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\df3ca667-9fb7-402b-aeb9-377dab3f93e5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe

"C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe"

C:\Users\Admin\AppData\Local\Temp\C75C.exe

"C:\Users\Admin\AppData\Local\Temp\C75C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\~xTQ.Si

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\~xTQ.Si

C:\Users\Admin\AppData\Local\Temp\C75C.exe

"C:\Users\Admin\AppData\Local\Temp\C75C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\~xTQ.Si

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\~xTQ.Si

C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe

"C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe"

C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe

"C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe"

C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build3.exe

"C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3068 -ip 3068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1216

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\672C.exe

C:\Users\Admin\AppData\Local\Temp\672C.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 536

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23958

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 furubujjul.net udp
N/A 91.195.240.101:80 furubujjul.net tcp
N/A 8.8.8.8:53 starvestitibo.org udp
N/A 193.106.191.15:80 starvestitibo.org tcp
N/A 8.8.8.8:53 polyzi.com udp
N/A 95.217.49.230:443 polyzi.com tcp
N/A 31.41.244.228:80 31.41.244.228 tcp
N/A 167.235.252.160:10642 tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 62.204.41.79:80 62.204.41.79 tcp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 31.41.244.228:80 31.41.244.228 tcp
N/A 193.106.191.15:80 starvestitibo.org tcp
N/A 31.41.244.198:4083 tcp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 8.8.8.8:53 uaery.top udp
N/A 8.8.8.8:53 abibiall.com udp
N/A 175.120.254.9:80 abibiall.com tcp
N/A 211.171.233.129:80 uaery.top tcp
N/A 175.120.254.9:80 abibiall.com tcp
N/A 52.168.112.66:443 tcp
N/A 8.8.8.8:53 t.me udp
N/A 149.154.167.99:443 t.me tcp
N/A 95.216.207.27:80 95.216.207.27 tcp
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 175.120.254.9:80 xisac.com tcp
N/A 8.252.51.254:80 tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 23.106.123.49:80 23.106.123.49 tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 104.80.225.205:443 tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 175.120.254.9:80 xisac.com tcp
N/A 62.204.41.79:80 62.204.41.79 tcp
N/A 10.127.0.117:80 tcp
N/A 10.127.0.117:80 tcp
N/A 127.0.0.1:23958 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/5072-132-0x0000000000682000-0x0000000000692000-memory.dmp

memory/5072-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/5072-134-0x0000000000400000-0x000000000045F000-memory.dmp

memory/5072-135-0x0000000000400000-0x000000000045F000-memory.dmp

memory/812-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C75C.exe

MD5 84ddcfcb55c1aa1dfdce65c841fd3193
SHA1 c88b590c9b54f72148143a68c09906ad93aa5904
SHA256 4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037
SHA512 a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

C:\Users\Admin\AppData\Local\Temp\C75C.exe

MD5 84ddcfcb55c1aa1dfdce65c841fd3193
SHA1 c88b590c9b54f72148143a68c09906ad93aa5904
SHA256 4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037
SHA512 a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

memory/1840-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C857.exe

MD5 4494ad792d3d806dcf0aaf8a52444014
SHA1 f4fee1fba7fafec5cd0fb8ae4f01aef33c327642
SHA256 d2556c2e2772327cc1ef509527c28b2aed8c27dd05e47c5c53aa3a221564abe1
SHA512 fa7f44031130932300fd374d3ca6cee0a45033752468e22c5f8155150e06dfddc6a378357d3db8e006663fc7f6e461940ecdb669fa912d83b6b6cc972715179b

C:\Users\Admin\AppData\Local\Temp\C857.exe

MD5 4494ad792d3d806dcf0aaf8a52444014
SHA1 f4fee1fba7fafec5cd0fb8ae4f01aef33c327642
SHA256 d2556c2e2772327cc1ef509527c28b2aed8c27dd05e47c5c53aa3a221564abe1
SHA512 fa7f44031130932300fd374d3ca6cee0a45033752468e22c5f8155150e06dfddc6a378357d3db8e006663fc7f6e461940ecdb669fa912d83b6b6cc972715179b

memory/1840-142-0x000000000088E000-0x0000000000890000-memory.dmp

memory/4468-143-0x0000000000000000-mapping.dmp

memory/4468-144-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1804-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CC7E.exe

MD5 7e2587f9abd6549a88072d135730580a
SHA1 3035343a78141807b53c016387cbc1518da1dabf
SHA256 1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875
SHA512 7d7fbe4a9b9b4c290b1a756fb0e076a2b8752b074e0845c86970526136ccb23c8691575ea52f06a0199fb8ae261432f9ea075b34fa55b52107e2db25cd0b7d46

C:\Users\Admin\AppData\Local\Temp\CC7E.exe

MD5 7e2587f9abd6549a88072d135730580a
SHA1 3035343a78141807b53c016387cbc1518da1dabf
SHA256 1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875
SHA512 7d7fbe4a9b9b4c290b1a756fb0e076a2b8752b074e0845c86970526136ccb23c8691575ea52f06a0199fb8ae261432f9ea075b34fa55b52107e2db25cd0b7d46

memory/4468-152-0x0000000005A80000-0x0000000006098000-memory.dmp

memory/4468-153-0x0000000005570000-0x000000000567A000-memory.dmp

memory/4468-154-0x00000000054A0000-0x00000000054B2000-memory.dmp

memory/3152-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CF3E.exe

MD5 3c134a8fcade6812f2ca56e4cdca71f6
SHA1 9a4d60da544803bdf0b1e4114fe8c2b775eb5ef7
SHA256 9d7423f987c3277f9f3babd60b6c0ad8e0edbf64c8ef4902d5578a686c51bb43
SHA512 11b73494eafdb8a66afe9c7d6f894001e6898985ef9d0db85c8ac431ced740d3ab11aa19d88a0a6ec807b19318db01a34d1fe816b621c003aec6b9b5ce8e6c33

C:\Users\Admin\AppData\Local\Temp\CF3E.exe

MD5 3c134a8fcade6812f2ca56e4cdca71f6
SHA1 9a4d60da544803bdf0b1e4114fe8c2b775eb5ef7
SHA256 9d7423f987c3277f9f3babd60b6c0ad8e0edbf64c8ef4902d5578a686c51bb43
SHA512 11b73494eafdb8a66afe9c7d6f894001e6898985ef9d0db85c8ac431ced740d3ab11aa19d88a0a6ec807b19318db01a34d1fe816b621c003aec6b9b5ce8e6c33

memory/4468-155-0x0000000005500000-0x000000000553C000-memory.dmp

memory/1820-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D2E9.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

C:\Users\Admin\AppData\Local\Temp\D2E9.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

memory/3520-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

memory/4568-167-0x0000000000000000-mapping.dmp

memory/3460-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

C:\Users\Admin\AppData\Local\Temp\D51C.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

C:\Users\Admin\AppData\Local\Temp\D51C.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

memory/4612-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

memory/4612-178-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

memory/1804-179-0x0000000000570000-0x0000000000579000-memory.dmp

memory/1804-180-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1680-177-0x0000000000000000-mapping.dmp

memory/1804-176-0x00000000005A9000-0x00000000005BE000-memory.dmp

memory/812-174-0x0000000002140000-0x000000000225B000-memory.dmp

memory/4612-173-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C75C.exe

MD5 84ddcfcb55c1aa1dfdce65c841fd3193
SHA1 c88b590c9b54f72148143a68c09906ad93aa5904
SHA256 4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037
SHA512 a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

memory/812-171-0x00000000006CD000-0x000000000075E000-memory.dmp

memory/4612-170-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4568-182-0x0000000000F20000-0x0000000000F8B000-memory.dmp

memory/1192-183-0x0000000000000000-mapping.dmp

memory/1072-184-0x0000000000000000-mapping.dmp

memory/1072-185-0x0000000000C10000-0x0000000000C1C000-memory.dmp

memory/4568-186-0x0000000000F20000-0x0000000000F8B000-memory.dmp

memory/4612-187-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4136-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe

MD5 439d717a27db362c26512f8415ef0fc4
SHA1 a821a3003fb586bed33870b65f3b63e7eb8e07b2
SHA256 3cf536d32d940a26d4283037c805817a81ebd55346d9350b15b0ef80ab4538f4
SHA512 660ab9d7dff75a7e36e181d686ea7a19710ae4db16a341632690a32b36ae5e607db59dccca92abf40e03352c3f8524720079f76272a4db785f71c65c84d1bdf3

memory/4772-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe

MD5 439d717a27db362c26512f8415ef0fc4
SHA1 a821a3003fb586bed33870b65f3b63e7eb8e07b2
SHA256 3cf536d32d940a26d4283037c805817a81ebd55346d9350b15b0ef80ab4538f4
SHA512 660ab9d7dff75a7e36e181d686ea7a19710ae4db16a341632690a32b36ae5e607db59dccca92abf40e03352c3f8524720079f76272a4db785f71c65c84d1bdf3

C:\Users\Admin\AppData\Local\df3ca667-9fb7-402b-aeb9-377dab3f93e5\C75C.exe

MD5 84ddcfcb55c1aa1dfdce65c841fd3193
SHA1 c88b590c9b54f72148143a68c09906ad93aa5904
SHA256 4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037
SHA512 a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

memory/3068-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe

MD5 6ab636c162f3683573f0a46ca34fad78
SHA1 99853578ad9b3d99f2201e103fa9cbea7beca58e
SHA256 9aefb8168bc9a3e250172fc3ae2b82c1d5f668441562f319ff9e343dafe156e6
SHA512 13f4c5a87df8eba75301afce34ef7d35720682749ea6e45e290311f0778b1d6f0d7a92815e5baf3b8c02cfe40a976a0d7a6ba15afa534dd6c0b12193c37d74b1

C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe

MD5 6ab636c162f3683573f0a46ca34fad78
SHA1 99853578ad9b3d99f2201e103fa9cbea7beca58e
SHA256 9aefb8168bc9a3e250172fc3ae2b82c1d5f668441562f319ff9e343dafe156e6
SHA512 13f4c5a87df8eba75301afce34ef7d35720682749ea6e45e290311f0778b1d6f0d7a92815e5baf3b8c02cfe40a976a0d7a6ba15afa534dd6c0b12193c37d74b1

memory/3152-197-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3152-196-0x0000000000733000-0x0000000000744000-memory.dmp

memory/4672-198-0x0000000000000000-mapping.dmp

memory/4592-199-0x0000000000000000-mapping.dmp

memory/4612-200-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C75C.exe

MD5 84ddcfcb55c1aa1dfdce65c841fd3193
SHA1 c88b590c9b54f72148143a68c09906ad93aa5904
SHA256 4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037
SHA512 a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

memory/4076-202-0x0000000000000000-mapping.dmp

memory/4076-206-0x00000000023D0000-0x0000000002515000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~xTQ.Si

MD5 af9989641d3b6aede6edf53b8f2f14b7
SHA1 859bb7ea8d2c6bd9d9662e4fc6984c32188b7b4c
SHA256 a1ca38f2ea99da2a990275e3f237b6d48f9989c4d8b7b455b109a7c151f923a4
SHA512 b93a2506ed00788a409e6580141e5bd0d0def99783483bbfbb3670efb2fb05c19e40a1f6bcc24123b9d194b0d40358c83d8d6739d875f35b95b4bac5f6ba34ee

C:\Users\Admin\AppData\Local\Temp\~xTQ.Si

MD5 af9989641d3b6aede6edf53b8f2f14b7
SHA1 859bb7ea8d2c6bd9d9662e4fc6984c32188b7b4c
SHA256 a1ca38f2ea99da2a990275e3f237b6d48f9989c4d8b7b455b109a7c151f923a4
SHA512 b93a2506ed00788a409e6580141e5bd0d0def99783483bbfbb3670efb2fb05c19e40a1f6bcc24123b9d194b0d40358c83d8d6739d875f35b95b4bac5f6ba34ee

C:\Users\Admin\AppData\Local\Temp\~xTQ.Si

MD5 af9989641d3b6aede6edf53b8f2f14b7
SHA1 859bb7ea8d2c6bd9d9662e4fc6984c32188b7b4c
SHA256 a1ca38f2ea99da2a990275e3f237b6d48f9989c4d8b7b455b109a7c151f923a4
SHA512 b93a2506ed00788a409e6580141e5bd0d0def99783483bbfbb3670efb2fb05c19e40a1f6bcc24123b9d194b0d40358c83d8d6739d875f35b95b4bac5f6ba34ee

memory/4468-208-0x0000000005960000-0x00000000059F2000-memory.dmp

memory/3068-207-0x0000000004C20000-0x00000000051C4000-memory.dmp

memory/4076-210-0x0000000002750000-0x000000000287A000-memory.dmp

memory/4468-209-0x0000000005A00000-0x0000000005A66000-memory.dmp

memory/4076-211-0x00000000029B0000-0x0000000002AD6000-memory.dmp

memory/3068-214-0x0000000000400000-0x000000000046B000-memory.dmp

memory/1804-215-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3068-213-0x0000000001FA0000-0x0000000001FEB000-memory.dmp

memory/3068-212-0x0000000000618000-0x0000000000647000-memory.dmp

memory/4192-216-0x0000000000000000-mapping.dmp

memory/4592-220-0x0000000000674000-0x0000000000705000-memory.dmp

memory/4192-221-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4192-219-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C75C.exe

MD5 84ddcfcb55c1aa1dfdce65c841fd3193
SHA1 c88b590c9b54f72148143a68c09906ad93aa5904
SHA256 4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037
SHA512 a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a0c36f51610a76607ef3930d43dc617b
SHA1 6f3bda7a776bb06b25db80cafc94af964e93e4b1
SHA256 af37247c1d45e32b72d5e12c0caa0bab8bd5bbf447c2cb9bc83c198c0b7790ea
SHA512 27acf6a6b675927941d4395a5a4922e6af1117b03d6ba7a2215fcb36521ff796fe150f0231fd164b93ec6b870ee2ccc918383e6882dfd9c1bc1f6c7db3ffb3e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 0f419c66dbc4946c001394e2910c173d
SHA1 e988a2291023e4c29b6442bfdeaacd9a83f0c640
SHA256 763aeee4de549d18d1e3a30be29961f5ffe2ce794179d13a06f44dd57a0b6b48
SHA512 c9d6c5459b055cecec7d7ed00f7774144b06fb2a4511bfc110a83577ed4517595a325f51e0579238d28550cf76de0a276f9d8bc322898c763b987a649e643918

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 fec2db91c7c65d1465b063bffc55a501
SHA1 d62a41e21d498607a56b545b85213cd0738cb7aa
SHA256 273cd890bc31549b86b4567016a813bb102c2a180bef7fbc52178352f9f0257b
SHA512 f322c613ef16e134e937320dd6e93597aaabd30158985f333c9ec02f61ebf802f552ed119cf8b31062246aafd2cacfb40451db6c34a373fdb7212359ef84d70d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c6964c598d970f6c97ea4092e97d517d
SHA1 690351843ee9c5dae635519f869192bb786207c6
SHA256 8901c2d40e486f904090f6ee8e107197cdb876c5bfe5fd7ce2d212e3330eba4a
SHA512 7fbaf67a4c6f9603c11ccfb42e65a42841c5f68baaf6817b84e0b48ad036636772adf06bc00b9b31ca33342b4c43854f6e5e750247bc718dd6ad1d5342e38aae

memory/4192-226-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4076-227-0x0000000002AE0000-0x0000000002BC1000-memory.dmp

memory/4076-228-0x0000000002BD0000-0x0000000002C9B000-memory.dmp

memory/2036-231-0x0000000000000000-mapping.dmp

memory/3852-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\~xTQ.Si

MD5 af9989641d3b6aede6edf53b8f2f14b7
SHA1 859bb7ea8d2c6bd9d9662e4fc6984c32188b7b4c
SHA256 a1ca38f2ea99da2a990275e3f237b6d48f9989c4d8b7b455b109a7c151f923a4
SHA512 b93a2506ed00788a409e6580141e5bd0d0def99783483bbfbb3670efb2fb05c19e40a1f6bcc24123b9d194b0d40358c83d8d6739d875f35b95b4bac5f6ba34ee

memory/4468-234-0x0000000006960000-0x0000000006B22000-memory.dmp

memory/4468-235-0x0000000007D10000-0x000000000823C000-memory.dmp

memory/3852-236-0x00000000030E0000-0x000000000320A000-memory.dmp

memory/3852-237-0x0000000003340000-0x0000000003466000-memory.dmp

memory/3292-238-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe

MD5 6a7892ece7e8bf85628e0e769560b7cb
SHA1 e13140e719218b14dd168467a63d481c7259df8c
SHA256 363dd986f98ab17b465354c93bd6f2b391b81593887dc88a0818d3d07264f844
SHA512 0091f76a7acf12ce121cc89702bbc7116cd91c4d69be1aaded7deabff92f7a913572d50b37b4ea0ac5cec28ceb4d2a505ed5dd7e98fa13ded39d1114a0ca7e7f

C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe

MD5 6a7892ece7e8bf85628e0e769560b7cb
SHA1 e13140e719218b14dd168467a63d481c7259df8c
SHA256 363dd986f98ab17b465354c93bd6f2b391b81593887dc88a0818d3d07264f844
SHA512 0091f76a7acf12ce121cc89702bbc7116cd91c4d69be1aaded7deabff92f7a913572d50b37b4ea0ac5cec28ceb4d2a505ed5dd7e98fa13ded39d1114a0ca7e7f

memory/2684-241-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe

MD5 6a7892ece7e8bf85628e0e769560b7cb
SHA1 e13140e719218b14dd168467a63d481c7259df8c
SHA256 363dd986f98ab17b465354c93bd6f2b391b81593887dc88a0818d3d07264f844
SHA512 0091f76a7acf12ce121cc89702bbc7116cd91c4d69be1aaded7deabff92f7a913572d50b37b4ea0ac5cec28ceb4d2a505ed5dd7e98fa13ded39d1114a0ca7e7f

memory/3292-247-0x00000000005B0000-0x0000000000607000-memory.dmp

memory/2684-246-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2684-244-0x0000000000400000-0x000000000046B000-memory.dmp

memory/3292-245-0x0000000000662000-0x0000000000693000-memory.dmp

memory/2684-242-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/380-251-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1780-248-0x0000000000000000-mapping.dmp

memory/2684-252-0x0000000000400000-0x000000000046B000-memory.dmp

memory/4076-253-0x00000000029B0000-0x0000000002AD6000-memory.dmp

memory/3068-254-0x0000000000618000-0x0000000000647000-memory.dmp

memory/3852-255-0x0000000003470000-0x0000000003551000-memory.dmp

memory/3852-256-0x0000000003560000-0x000000000362B000-memory.dmp

memory/3852-259-0x0000000003340000-0x0000000003466000-memory.dmp

memory/3068-260-0x0000000006540000-0x00000000065B6000-memory.dmp

memory/3068-261-0x00000000065E0000-0x0000000006630000-memory.dmp

memory/4192-262-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3068-263-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2684-264-0x0000000060900000-0x0000000060992000-memory.dmp

C:\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

C:\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4476-287-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

memory/2684-289-0x0000000000400000-0x000000000046B000-memory.dmp

memory/4208-290-0x0000000000000000-mapping.dmp

memory/2684-291-0x0000000000400000-0x000000000046B000-memory.dmp

memory/892-292-0x0000000000000000-mapping.dmp

memory/4836-293-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\672C.exe

MD5 d4fe627b0bc66a57bfdb76c531c06ce6
SHA1 1a9ff0a579460a2e90266ebbfbad127514a74e7a
SHA256 9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97
SHA512 bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617

C:\Users\Admin\AppData\Local\Temp\672C.exe

MD5 d4fe627b0bc66a57bfdb76c531c06ce6
SHA1 1a9ff0a579460a2e90266ebbfbad127514a74e7a
SHA256 9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97
SHA512 bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617

memory/2672-296-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

MD5 6ea8a6cc5fed6c664df1b3ef7c56b55d
SHA1 6b244d708706441095ae97294928967ddf28432b
SHA256 2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA512 4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

memory/4836-299-0x0000000001FDE000-0x00000000020B4000-memory.dmp

memory/4836-300-0x0000000002260000-0x0000000002375000-memory.dmp

memory/4836-301-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1004-302-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

MD5 af364df1b3d1011a1e53cc43a0f47931
SHA1 40a1afe04bb41b40c0369ac5d4707fc74583d2a3
SHA256 3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2
SHA512 e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

MD5 af364df1b3d1011a1e53cc43a0f47931
SHA1 40a1afe04bb41b40c0369ac5d4707fc74583d2a3
SHA256 3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2
SHA512 e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

memory/1004-306-0x00000000008A0000-0x00000000008C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

MD5 af364df1b3d1011a1e53cc43a0f47931
SHA1 40a1afe04bb41b40c0369ac5d4707fc74583d2a3
SHA256 3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2
SHA512 e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

memory/2672-307-0x00000000059F0000-0x0000000006115000-memory.dmp

memory/2672-308-0x00000000059F0000-0x0000000006115000-memory.dmp

memory/2672-309-0x0000000004740000-0x0000000004880000-memory.dmp

memory/2672-310-0x0000000004740000-0x0000000004880000-memory.dmp

memory/2672-311-0x0000000004740000-0x0000000004880000-memory.dmp

memory/2672-312-0x0000000004740000-0x0000000004880000-memory.dmp

memory/2672-313-0x0000000004740000-0x0000000004880000-memory.dmp

memory/2672-314-0x0000000004740000-0x0000000004880000-memory.dmp

memory/3604-315-0x00007FF75C0A6890-mapping.dmp

memory/3604-316-0x00000249DFB70000-0x00000249DFCB0000-memory.dmp

memory/3604-317-0x00000249DFB70000-0x00000249DFCB0000-memory.dmp

memory/2672-318-0x00000000047B9000-0x00000000047BB000-memory.dmp

memory/3604-319-0x0000000000E90000-0x00000000010A9000-memory.dmp

memory/3604-320-0x00000249DE1A0000-0x00000249DE3CA000-memory.dmp

memory/2672-321-0x00000000059F0000-0x0000000006115000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

MD5 30bfff5f826b2587eb0af8103ebb4375
SHA1 5b7bc30f5b133c237f35de24f85f799d51a6f0c4
SHA256 7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068
SHA512 53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec