Analysis Overview
SHA256
674cd4625ef18cbcd8edb1434af6130d735e3ddd1d312bc30806749e5c65f01d
Threat Level: Known bad
The file d2e3776282eec363c33d68dc27324718.exe was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Amadey
Vidar
Process spawned unexpected child process
Djvu Ransomware
Detects Smokeloader packer
SmokeLoader
VMProtect packed file
Executes dropped EXE
Downloads MZ/PE file
Blocklisted process makes network request
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Modifies file permissions
Checks installed software on the system
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Modifies registry class
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-07 22:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-07 22:11
Reported
2023-01-07 22:13
Platform
win7-20220901-en
Max time kernel
150s
Max time network
52s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe
"C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe"
Network
Files
memory/1260-54-0x0000000075091000-0x0000000075093000-memory.dmp
memory/1260-55-0x00000000031FB000-0x0000000003211000-memory.dmp
memory/1260-56-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1260-57-0x0000000000400000-0x0000000003013000-memory.dmp
memory/1260-58-0x0000000000400000-0x0000000003013000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-07 22:11
Reported
2023-01-07 22:13
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
SmokeLoader
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\14A8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Player3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3003.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F013.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F013.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\12A3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Player3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3003.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\003374e9-7a71-493e-a3cd-b267fc9d088c\\F013.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\F013.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4804 set thread context of 3960 | N/A | C:\Users\Admin\AppData\Local\Temp\F013.exe | C:\Users\Admin\AppData\Local\Temp\F013.exe |
| PID 4140 set thread context of 4732 | N/A | C:\Users\Admin\AppData\Local\Temp\F013.exe | C:\Users\Admin\AppData\Local\Temp\F013.exe |
| PID 4244 set thread context of 1292 | N/A | C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe | C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe |
| PID 4940 set thread context of 2796 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\F285.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\F285.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\F285.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000275695b9100054656d7000003a0009000400efbe0c551d9c275695b92e00000000000000000000000000000000000000000000000000c4734600540065006d007000000014000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | N/A | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F285.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EE5C.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\164F.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe
"C:\Users\Admin\AppData\Local\Temp\d2e3776282eec363c33d68dc27324718.exe"
C:\Users\Admin\AppData\Local\Temp\EE5C.exe
C:\Users\Admin\AppData\Local\Temp\EE5C.exe
C:\Users\Admin\AppData\Local\Temp\F013.exe
C:\Users\Admin\AppData\Local\Temp\F013.exe
C:\Users\Admin\AppData\Local\Temp\F285.exe
C:\Users\Admin\AppData\Local\Temp\F285.exe
C:\Users\Admin\AppData\Local\Temp\F3CE.exe
C:\Users\Admin\AppData\Local\Temp\F3CE.exe
C:\Users\Admin\AppData\Local\Temp\1D9.exe
C:\Users\Admin\AppData\Local\Temp\1D9.exe
C:\Users\Admin\AppData\Local\Temp\739.exe
C:\Users\Admin\AppData\Local\Temp\739.exe
C:\Users\Admin\AppData\Local\Temp\12A3.exe
C:\Users\Admin\AppData\Local\Temp\12A3.exe
C:\Users\Admin\AppData\Local\Temp\14A8.exe
C:\Users\Admin\AppData\Local\Temp\14A8.exe
C:\Users\Admin\AppData\Local\Temp\164F.exe
C:\Users\Admin\AppData\Local\Temp\164F.exe
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe"
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe"
C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe" -h
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe" -h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\F013.exe
C:\Users\Admin\AppData\Local\Temp\F013.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4880 -ip 4880
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 356
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\003374e9-7a71-493e-a3cd-b267fc9d088c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2240 -ip 2240
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3568 -ip 3568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 600
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 600
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\F013.exe
"C:\Users\Admin\AppData\Local\Temp\F013.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\F013.exe
"C:\Users\Admin\AppData\Local\Temp\F013.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3484 -ip 3484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1232
C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe
"C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe"
C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build3.exe
"C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\CA6D.exe
C:\Users\Admin\AppData\Local\Temp\CA6D.exe
C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe
"C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1616 -ip 1616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 300
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 1540 -ip 1540
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1540 -s 684
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15598
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | potunulit.org | udp |
| N/A | 188.114.97.0:80 | potunulit.org | tcp |
| N/A | 194.110.203.101:80 | 194.110.203.101 | tcp |
| N/A | 8.8.8.8:53 | polyzi.com | udp |
| N/A | 95.217.49.230:443 | polyzi.com | tcp |
| N/A | 8.8.8.8:53 | lazydowns.com | udp |
| N/A | 68.65.123.54:443 | lazydowns.com | tcp |
| N/A | 8.8.8.8:53 | cleanpcsoft.com | udp |
| N/A | 198.54.115.119:443 | cleanpcsoft.com | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 13.69.239.72:443 | tcp | |
| N/A | 8.8.8.8:53 | aaa.apiaaaeg.com | udp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 8.8.8.8:53 | xv.yxzgamen.com | udp |
| N/A | 188.114.97.0:443 | xv.yxzgamen.com | tcp |
| N/A | 188.114.97.0:443 | xv.yxzgamen.com | tcp |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 211.40.39.251:80 | uaery.top | tcp |
| N/A | 211.171.233.129:80 | spaceris.com | tcp |
| N/A | 211.171.233.129:80 | spaceris.com | tcp |
| N/A | 8.8.8.8:53 | vatra.at | udp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 194.135.33.42:80 | 194.135.33.42 | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 151.251.24.5:80 | vatra.at | tcp |
| N/A | 23.236.181.126:443 | 23.236.181.126 | tcp |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 94.130.190.48:80 | 94.130.190.48 | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.201.35:443 | www.facebook.com | tcp |
| N/A | 157.240.201.35:443 | www.facebook.com | tcp |
| N/A | 127.0.0.1:15598 | tcp | |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 127.0.0.1:1312 | tcp |
Files
memory/3036-132-0x00000000030FD000-0x0000000003113000-memory.dmp
memory/3036-133-0x00000000030A0000-0x00000000030A9000-memory.dmp
memory/3036-134-0x0000000000400000-0x0000000003013000-memory.dmp
memory/3036-135-0x0000000000400000-0x0000000003013000-memory.dmp
memory/3484-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EE5C.exe
| MD5 | f5bacc650aa22ae1279aee4c46cb866b |
| SHA1 | 07c0ad6eef8b505bed39bba58e33d9047750a74c |
| SHA256 | 80d6f172b24f060930cb9ccdd8377c098043105628309726b2b0f1d14d104342 |
| SHA512 | 07de13e91e376054fd07dc18c962cd567b6fe79416181305edb2a430667934d1b8c965c0a2ebdf66a3419db004bf2993de13c1a8f42678c279b4beb325b1eb83 |
C:\Users\Admin\AppData\Local\Temp\EE5C.exe
| MD5 | f5bacc650aa22ae1279aee4c46cb866b |
| SHA1 | 07c0ad6eef8b505bed39bba58e33d9047750a74c |
| SHA256 | 80d6f172b24f060930cb9ccdd8377c098043105628309726b2b0f1d14d104342 |
| SHA512 | 07de13e91e376054fd07dc18c962cd567b6fe79416181305edb2a430667934d1b8c965c0a2ebdf66a3419db004bf2993de13c1a8f42678c279b4beb325b1eb83 |
C:\Users\Admin\AppData\Local\Temp\F013.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/4804-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F013.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/4856-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F285.exe
| MD5 | 85680181243a3b1e0dc116507c5a3b30 |
| SHA1 | 8fa676e2ffae296e635c41a3ea35ff8c27a43bd7 |
| SHA256 | 4985fa58f25344e59dccf1b0258d7bbb4a16b509f25bf0ce25586437a4e6a8c8 |
| SHA512 | 676d567a1ca2d9449035b813546fa27f1b5aeed31a1b178ef98a4cfb0d046e26d3847ab302fdeb3b38c5b45f0c83224e50892417e2e0a39c4a8ce7415c53959c |
C:\Users\Admin\AppData\Local\Temp\F285.exe
| MD5 | 85680181243a3b1e0dc116507c5a3b30 |
| SHA1 | 8fa676e2ffae296e635c41a3ea35ff8c27a43bd7 |
| SHA256 | 4985fa58f25344e59dccf1b0258d7bbb4a16b509f25bf0ce25586437a4e6a8c8 |
| SHA512 | 676d567a1ca2d9449035b813546fa27f1b5aeed31a1b178ef98a4cfb0d046e26d3847ab302fdeb3b38c5b45f0c83224e50892417e2e0a39c4a8ce7415c53959c |
memory/4880-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F3CE.exe
| MD5 | b9bfdc5e2185f3660a476defa9f3be0e |
| SHA1 | db874bc97764445da6f370c426e2a43c41dd57bd |
| SHA256 | 67ca5adb5a5afa3b99bf9b0c3cf0e584627b5fe004a14c56f6cca9d05b97cbea |
| SHA512 | 19428c13be7fc3e67cdaf7c974d509841d8cebea6ada454eb2030156209bc9c4ec265b0bb2f1639b966da69d9a17eb8b558ea40aae98796efd601203f6ced74e |
C:\Users\Admin\AppData\Local\Temp\F3CE.exe
| MD5 | b9bfdc5e2185f3660a476defa9f3be0e |
| SHA1 | db874bc97764445da6f370c426e2a43c41dd57bd |
| SHA256 | 67ca5adb5a5afa3b99bf9b0c3cf0e584627b5fe004a14c56f6cca9d05b97cbea |
| SHA512 | 19428c13be7fc3e67cdaf7c974d509841d8cebea6ada454eb2030156209bc9c4ec265b0bb2f1639b966da69d9a17eb8b558ea40aae98796efd601203f6ced74e |
memory/3180-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1D9.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\1D9.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/3180-151-0x0000000140000000-0x000000014061A000-memory.dmp
memory/3344-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\739.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\739.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/3344-158-0x0000000140000000-0x000000014061A000-memory.dmp
memory/616-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\12A3.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\Temp\12A3.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
memory/3168-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\14A8.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\Temp\14A8.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
memory/616-168-0x0000000000A90000-0x0000000000AF6000-memory.dmp
memory/2388-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\164F.exe
| MD5 | 4ed8fc021a8c8e43a565f5077fc0e7a9 |
| SHA1 | 7e4f5e2d95567c1a96b8e02f9af1ba7432d9fb2f |
| SHA256 | ac4bf5981d50148ef38fe7ecd09cd0cf3ac92f59acaf189e689ca461a4c60394 |
| SHA512 | 320bc1c3e0ebe5bee625b2dd6ff5572216c970170b27ec0287f0a531341b98be1ab9c90b2a8dda35b6a00df878e0ab0c74b5dfeee8057a4c7f4f104632b5b21c |
C:\Users\Admin\AppData\Local\Temp\164F.exe
| MD5 | 4ed8fc021a8c8e43a565f5077fc0e7a9 |
| SHA1 | 7e4f5e2d95567c1a96b8e02f9af1ba7432d9fb2f |
| SHA256 | ac4bf5981d50148ef38fe7ecd09cd0cf3ac92f59acaf189e689ca461a4c60394 |
| SHA512 | 320bc1c3e0ebe5bee625b2dd6ff5572216c970170b27ec0287f0a531341b98be1ab9c90b2a8dda35b6a00df878e0ab0c74b5dfeee8057a4c7f4f104632b5b21c |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/2384-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/904-180-0x0000000000000000-mapping.dmp
memory/3744-179-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/2988-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/4748-186-0x0000000000000000-mapping.dmp
memory/1924-187-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/1084-190-0x0000000000000000-mapping.dmp
memory/1932-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/1276-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/1492-195-0x0000000000000000-mapping.dmp
memory/3960-197-0x0000000000000000-mapping.dmp
memory/3484-196-0x000000000336D000-0x000000000339B000-memory.dmp
memory/3484-198-0x0000000007740000-0x0000000007CE4000-memory.dmp
memory/3960-202-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F013.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/4804-203-0x0000000004D22000-0x0000000004DB4000-memory.dmp
memory/3960-200-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3484-199-0x00000000032B0000-0x00000000032FB000-memory.dmp
memory/4804-205-0x0000000004DC0000-0x0000000004EDB000-memory.dmp
memory/3960-204-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3484-206-0x0000000000400000-0x0000000003034000-memory.dmp
memory/3484-207-0x0000000007CF0000-0x0000000008308000-memory.dmp
memory/3484-208-0x0000000008310000-0x000000000841A000-memory.dmp
memory/3960-209-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4856-212-0x0000000003130000-0x0000000003139000-memory.dmp
memory/4856-211-0x000000000317D000-0x0000000003192000-memory.dmp
memory/3484-210-0x0000000008420000-0x0000000008432000-memory.dmp
memory/624-214-0x0000000000000000-mapping.dmp
memory/3484-213-0x0000000008440000-0x000000000847C000-memory.dmp
memory/4856-215-0x0000000000400000-0x000000000301B000-memory.dmp
memory/1788-216-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
memory/4880-218-0x0000000000400000-0x0000000003013000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/4856-220-0x0000000000400000-0x000000000301B000-memory.dmp
memory/364-221-0x0000000000000000-mapping.dmp
memory/3716-222-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/3568-225-0x0000000000000000-mapping.dmp
memory/2240-224-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
memory/444-230-0x0000000000000000-mapping.dmp
memory/4880-229-0x000000000324D000-0x0000000003262000-memory.dmp
memory/3620-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/3492-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\003374e9-7a71-493e-a3cd-b267fc9d088c\F013.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/4140-235-0x0000000000000000-mapping.dmp
memory/3960-236-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F013.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/3484-238-0x0000000008720000-0x00000000087B2000-memory.dmp
memory/3484-239-0x00000000087C0000-0x0000000008826000-memory.dmp
memory/2388-240-0x000000000325D000-0x000000000328B000-memory.dmp
memory/2388-241-0x0000000000400000-0x000000000302C000-memory.dmp
memory/3484-242-0x0000000009110000-0x00000000092D2000-memory.dmp
memory/3484-243-0x00000000092F0000-0x000000000981C000-memory.dmp
memory/3484-244-0x000000000336D000-0x000000000339B000-memory.dmp
memory/4732-245-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F013.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/4732-248-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4140-249-0x0000000004CE9000-0x0000000004D7B000-memory.dmp
memory/4732-250-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 7c56401cb6bd1ae402e06f0fe35f81c4 |
| SHA1 | b82bbb9fa39266796cafcd308ef4300fc92e3399 |
| SHA256 | 0c58c7bc18d38a3096da6f3575f1c6f8d79b69382d8e89bb5fca917d3cdb7f65 |
| SHA512 | 2ea607c2dc04c8ef34ecb4c4bd297e0f0882b179303565863d1745172322133b78186fa04334e82c135e25fd717719ceec917f49682a4eac37034ea87bb2b6f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 82759cb6c6c9d5498b7f7c163b3a1a04 |
| SHA1 | 43fc28110333e6e1cae17302445a63b9e7ff0194 |
| SHA256 | fec4128751cdf7b154be4457f798d4ba81d6d74e356ec536439bd00b3e20735c |
| SHA512 | 7505ab9e951bdad93bf341bb687f2a3a15aa80a4bf547005df99df4cc72d055ae02fefb4f4ccafa043c25e5a58b45ff7a2a7de0bceaa551f79ccc85dcad8e72e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 411cd537dcecbf901759b8e6c1bdb076 |
| SHA1 | 655df9870867a1760ad1a2c967b330c61767437a |
| SHA256 | aa9e441c6cf813efd9ba76fe4ae52d884a5c7d222ed221903c42f09bc14eb7db |
| SHA512 | ea780f875c86f8694f67d236a0af066b952862356edb681375e6c387103a91ce085345359f8fe83dd630d310ee6b7637512e5868951c4c257daa411ab9c03e71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 1074fc6c355d5c4567c48ead32e632af |
| SHA1 | b2adc8021fb5e388c9b2195df669f174106279e4 |
| SHA256 | 28ad70d0dc667b30105483600439d4ac4a6fe02737c1746aa3f2fd1bdcaafa49 |
| SHA512 | f7ee1d30a298571adffaea05cfddc1c0aa91a4001ae53223c74ef01b07a0e18d112d9aca1bc9c984df6fda23a938f6650a2ebd6a4ab9da7ba6e2bc8436596e90 |
memory/4732-255-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3484-256-0x0000000000400000-0x0000000003034000-memory.dmp
memory/2388-257-0x000000000325D000-0x000000000328B000-memory.dmp
memory/2388-258-0x0000000000400000-0x000000000302C000-memory.dmp
memory/4244-259-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/3732-262-0x0000000000000000-mapping.dmp
memory/5028-265-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1616-266-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CA6D.exe
| MD5 | a1097be96c7e1981a5d2df167f1aba2c |
| SHA1 | 45efe6dc99ebd2b1557f04b3c8d02c0932b4f832 |
| SHA256 | 0c006424dbdae21f9ff6c9ed9518f869213175b9961df3d856533798e0da790d |
| SHA512 | 8a45036012039fcc3a4618b1a35cd558b6212d18cea26bf97b39d92ce73919c8f30872deddfc1331850729fc45432568484d6a2e4b6bdeaffdb64cdeb6b5e9fb |
C:\Users\Admin\AppData\Local\Temp\CA6D.exe
| MD5 | a1097be96c7e1981a5d2df167f1aba2c |
| SHA1 | 45efe6dc99ebd2b1557f04b3c8d02c0932b4f832 |
| SHA256 | 0c006424dbdae21f9ff6c9ed9518f869213175b9961df3d856533798e0da790d |
| SHA512 | 8a45036012039fcc3a4618b1a35cd558b6212d18cea26bf97b39d92ce73919c8f30872deddfc1331850729fc45432568484d6a2e4b6bdeaffdb64cdeb6b5e9fb |
memory/4732-269-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1292-271-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\1569b26d-9183-497b-9052-246af9f02abf\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/1292-273-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1292-270-0x0000000000000000-mapping.dmp
memory/4244-275-0x0000000000658000-0x0000000000686000-memory.dmp
memory/1292-274-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4244-276-0x00000000020E0000-0x000000000212C000-memory.dmp
memory/1292-277-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4940-278-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp
| MD5 | 9dd70d24b2657a9254b9fd536a4d06d5 |
| SHA1 | 348a1d210d7c4daef8ecdb692eadf3975971e8ee |
| SHA256 | d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd |
| SHA512 | dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6 |
memory/1616-281-0x0000000004E62000-0x0000000004F36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp
| MD5 | 9dd70d24b2657a9254b9fd536a4d06d5 |
| SHA1 | 348a1d210d7c4daef8ecdb692eadf3975971e8ee |
| SHA256 | d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd |
| SHA512 | dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6 |
memory/1616-282-0x0000000004F40000-0x0000000005055000-memory.dmp
memory/1616-283-0x0000000000400000-0x00000000030DA000-memory.dmp
memory/2864-284-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-285-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-286-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-287-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-288-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-289-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-290-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-292-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-293-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-291-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-294-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-295-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-298-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-297-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-299-0x0000000007B70000-0x0000000007B80000-memory.dmp
memory/2864-301-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-296-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-303-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-302-0x0000000007CB0000-0x0000000007CC0000-memory.dmp
memory/2864-304-0x0000000007CB0000-0x0000000007CC0000-memory.dmp
memory/2864-305-0x0000000007B60000-0x0000000007B70000-memory.dmp
memory/2864-306-0x0000000007CB0000-0x0000000007CC0000-memory.dmp
memory/4232-307-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
memory/1540-310-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
memory/1292-312-0x0000000050C30000-0x0000000050CC2000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/1292-333-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1628-334-0x0000000000000000-mapping.dmp
memory/1292-335-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4852-336-0x0000000000000000-mapping.dmp
memory/4940-337-0x0000000006470000-0x0000000006FB1000-memory.dmp
memory/2864-338-0x0000000007CB0000-0x0000000007CC0000-memory.dmp
memory/2864-339-0x0000000007CB0000-0x0000000007CC0000-memory.dmp
memory/4940-340-0x0000000006470000-0x0000000006FB1000-memory.dmp
memory/2864-341-0x0000000007CB0000-0x0000000007CC0000-memory.dmp
memory/4940-342-0x0000000004670000-0x00000000047B0000-memory.dmp
memory/4940-343-0x0000000004670000-0x00000000047B0000-memory.dmp
memory/4940-344-0x0000000004670000-0x00000000047B0000-memory.dmp
memory/4940-345-0x0000000004670000-0x00000000047B0000-memory.dmp
memory/4940-346-0x0000000004670000-0x00000000047B0000-memory.dmp
memory/4940-347-0x0000000004670000-0x00000000047B0000-memory.dmp
memory/2796-348-0x00007FF6CE666890-mapping.dmp
memory/4940-349-0x00000000046E9000-0x00000000046EB000-memory.dmp
memory/2796-350-0x00000268992E0000-0x0000026899420000-memory.dmp
memory/2796-352-0x0000026897860000-0x0000026897B12000-memory.dmp
memory/2796-351-0x00000268992E0000-0x0000026899420000-memory.dmp
memory/2796-353-0x00000000005D0000-0x0000000000871000-memory.dmp
memory/2796-354-0x0000026897860000-0x0000026897B12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4496-358-0x0000000000000000-mapping.dmp
memory/4940-359-0x0000000006470000-0x0000000006FB1000-memory.dmp