Analysis Overview
SHA256
74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553
Threat Level: Known bad
The file 74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553 was found to be: Known bad.
Malicious Activity Summary
Amadey
Detects Smokeloader packer
Process spawned unexpected child process
Vidar
SmokeLoader
Djvu Ransomware
Detected Djvu ransomware
Downloads MZ/PE file
Blocklisted process makes network request
VMProtect packed file
Executes dropped EXE
Modifies file permissions
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Script User-Agent
Modifies registry class
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-07 22:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-07 22:00
Reported
2023-01-07 22:03
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
SmokeLoader
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D6ED.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Player3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D6ED.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3003.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\768.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\A67.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3003.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\53adca12-92b0-4fdc-86e4-430ee9c85918\\D6ED.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\D6ED.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1800 set thread context of 3160 | N/A | C:\Users\Admin\AppData\Local\Temp\D6ED.exe | C:\Users\Admin\AppData\Local\Temp\D6ED.exe |
| PID 5096 set thread context of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\D6ED.exe | C:\Users\Admin\AppData\Local\Temp\D6ED.exe |
| PID 4964 set thread context of 4916 | N/A | C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe | C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe |
| PID 2256 set thread context of 4516 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\D9FB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\D9FB.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\D9FB.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000275645b8100054656d7000003a0009000400efbe6b55586c27564ab82e000000000000000000000000000000000000000000000000008e976200540065006d007000000014000000 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D9FB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\D546.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CAA.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553.exe
"C:\Users\Admin\AppData\Local\Temp\74b2fa2d7bccb0ea1f08b1e55c4f918d05000be925fd09331590ef6731dbd553.exe"
C:\Users\Admin\AppData\Local\Temp\D546.exe
C:\Users\Admin\AppData\Local\Temp\D546.exe
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
C:\Users\Admin\AppData\Local\Temp\D9FB.exe
C:\Users\Admin\AppData\Local\Temp\D9FB.exe
C:\Users\Admin\AppData\Local\Temp\DB64.exe
C:\Users\Admin\AppData\Local\Temp\DB64.exe
C:\Users\Admin\AppData\Local\Temp\F323.exe
C:\Users\Admin\AppData\Local\Temp\F323.exe
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
C:\Users\Admin\AppData\Local\Temp\F96D.exe
C:\Users\Admin\AppData\Local\Temp\F96D.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 348 -ip 348
C:\Users\Admin\AppData\Local\Temp\768.exe
C:\Users\Admin\AppData\Local\Temp\768.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 288
C:\Users\Admin\AppData\Local\Temp\A67.exe
C:\Users\Admin\AppData\Local\Temp\A67.exe
C:\Users\Admin\AppData\Local\Temp\CAA.exe
C:\Users\Admin\AppData\Local\Temp\CAA.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\53adca12-92b0-4fdc-86e4-430ee9c85918" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe"
C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3684 -ip 3684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1492
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe" -h
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe" -h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
"C:\Users\Admin\AppData\Local\Temp\D6ED.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4160 -ip 4160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2660 -ip 2660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 600
C:\Users\Admin\AppData\Local\Temp\build_2023-01-06_10-15_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_2023-01-06_10-15_protected.exe"
C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
"C:\Users\Admin\AppData\Local\Temp\D6ED.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1256
C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe
"C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe"
C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build3.exe
"C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1564 -ip 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1260
C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe
"C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4028 -ip 4028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1836
C:\Users\Admin\AppData\Local\Temp\C0B9.exe
C:\Users\Admin\AppData\Local\Temp\C0B9.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 296
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 364 -p 1352 -ip 1352
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1352 -s 680
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15591
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | potunulit.org | udp |
| N/A | 188.114.96.0:80 | potunulit.org | tcp |
| N/A | 194.110.203.101:80 | 194.110.203.101 | tcp |
| N/A | 8.8.8.8:53 | polyzi.com | udp |
| N/A | 95.217.49.230:443 | polyzi.com | tcp |
| N/A | 8.8.8.8:53 | lazydowns.com | udp |
| N/A | 68.65.123.54:443 | lazydowns.com | tcp |
| N/A | 8.8.8.8:53 | cleanpcsoft.com | udp |
| N/A | 198.54.115.119:443 | cleanpcsoft.com | tcp |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 20.42.65.84:443 | tcp | |
| N/A | 8.8.8.8:53 | aaa.apiaaaeg.com | udp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 8.8.8.8:53 | xv.yxzgamen.com | udp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 188.114.96.0:443 | xv.yxzgamen.com | tcp |
| N/A | 188.114.96.0:443 | xv.yxzgamen.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 109.102.255.230:80 | uaery.top | tcp |
| N/A | 175.126.109.15:80 | uaery.top | tcp |
| N/A | 175.126.109.15:80 | uaery.top | tcp |
| N/A | 52.109.77.1:443 | tcp | |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 94.130.190.48:80 | 94.130.190.48 | tcp |
| N/A | 8.8.8.8:53 | vatra.at | udp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 94.130.190.48:80 | 94.130.190.48 | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 194.135.33.42:80 | 194.135.33.42 | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 23.236.181.126:443 | 23.236.181.126 | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 190.147.188.50:80 | vatra.at | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 127.0.0.1:15591 | tcp | |
| N/A | 127.0.0.1:1312 | tcp |
Files
memory/3936-132-0x00000000030DE000-0x00000000030F4000-memory.dmp
memory/3936-133-0x0000000004D50000-0x0000000004D59000-memory.dmp
memory/3936-134-0x0000000000400000-0x000000000301B000-memory.dmp
memory/3936-135-0x0000000000400000-0x000000000301B000-memory.dmp
memory/4752-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D546.exe
| MD5 | f5bacc650aa22ae1279aee4c46cb866b |
| SHA1 | 07c0ad6eef8b505bed39bba58e33d9047750a74c |
| SHA256 | 80d6f172b24f060930cb9ccdd8377c098043105628309726b2b0f1d14d104342 |
| SHA512 | 07de13e91e376054fd07dc18c962cd567b6fe79416181305edb2a430667934d1b8c965c0a2ebdf66a3419db004bf2993de13c1a8f42678c279b4beb325b1eb83 |
C:\Users\Admin\AppData\Local\Temp\D546.exe
| MD5 | f5bacc650aa22ae1279aee4c46cb866b |
| SHA1 | 07c0ad6eef8b505bed39bba58e33d9047750a74c |
| SHA256 | 80d6f172b24f060930cb9ccdd8377c098043105628309726b2b0f1d14d104342 |
| SHA512 | 07de13e91e376054fd07dc18c962cd567b6fe79416181305edb2a430667934d1b8c965c0a2ebdf66a3419db004bf2993de13c1a8f42678c279b4beb325b1eb83 |
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/1800-139-0x0000000000000000-mapping.dmp
memory/3060-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D9FB.exe
| MD5 | 85680181243a3b1e0dc116507c5a3b30 |
| SHA1 | 8fa676e2ffae296e635c41a3ea35ff8c27a43bd7 |
| SHA256 | 4985fa58f25344e59dccf1b0258d7bbb4a16b509f25bf0ce25586437a4e6a8c8 |
| SHA512 | 676d567a1ca2d9449035b813546fa27f1b5aeed31a1b178ef98a4cfb0d046e26d3847ab302fdeb3b38c5b45f0c83224e50892417e2e0a39c4a8ce7415c53959c |
C:\Users\Admin\AppData\Local\Temp\D9FB.exe
| MD5 | 85680181243a3b1e0dc116507c5a3b30 |
| SHA1 | 8fa676e2ffae296e635c41a3ea35ff8c27a43bd7 |
| SHA256 | 4985fa58f25344e59dccf1b0258d7bbb4a16b509f25bf0ce25586437a4e6a8c8 |
| SHA512 | 676d567a1ca2d9449035b813546fa27f1b5aeed31a1b178ef98a4cfb0d046e26d3847ab302fdeb3b38c5b45f0c83224e50892417e2e0a39c4a8ce7415c53959c |
memory/348-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB64.exe
| MD5 | b9bfdc5e2185f3660a476defa9f3be0e |
| SHA1 | db874bc97764445da6f370c426e2a43c41dd57bd |
| SHA256 | 67ca5adb5a5afa3b99bf9b0c3cf0e584627b5fe004a14c56f6cca9d05b97cbea |
| SHA512 | 19428c13be7fc3e67cdaf7c974d509841d8cebea6ada454eb2030156209bc9c4ec265b0bb2f1639b966da69d9a17eb8b558ea40aae98796efd601203f6ced74e |
C:\Users\Admin\AppData\Local\Temp\DB64.exe
| MD5 | b9bfdc5e2185f3660a476defa9f3be0e |
| SHA1 | db874bc97764445da6f370c426e2a43c41dd57bd |
| SHA256 | 67ca5adb5a5afa3b99bf9b0c3cf0e584627b5fe004a14c56f6cca9d05b97cbea |
| SHA512 | 19428c13be7fc3e67cdaf7c974d509841d8cebea6ada454eb2030156209bc9c4ec265b0bb2f1639b966da69d9a17eb8b558ea40aae98796efd601203f6ced74e |
memory/4752-148-0x000000000315D000-0x000000000318B000-memory.dmp
memory/4752-149-0x00000000030F0000-0x000000000313B000-memory.dmp
memory/4752-151-0x0000000007870000-0x0000000007E14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F323.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\F323.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/4752-154-0x0000000000400000-0x0000000003034000-memory.dmp
memory/4076-150-0x0000000000000000-mapping.dmp
memory/4752-157-0x0000000007E20000-0x0000000008438000-memory.dmp
memory/4076-155-0x0000000140000000-0x000000014061A000-memory.dmp
memory/3160-159-0x0000000000000000-mapping.dmp
memory/4752-161-0x0000000007700000-0x000000000780A000-memory.dmp
memory/3160-170-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F96D.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\F96D.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/1800-165-0x0000000004D90000-0x0000000004EAB000-memory.dmp
memory/4752-164-0x0000000007830000-0x0000000007842000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/1800-162-0x0000000004CEE000-0x0000000004D80000-memory.dmp
memory/2752-160-0x0000000000000000-mapping.dmp
memory/3160-163-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3160-172-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4752-171-0x0000000008440000-0x000000000847C000-memory.dmp
memory/2752-173-0x0000000140000000-0x000000014061A000-memory.dmp
memory/3160-175-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3060-178-0x00000000031ED000-0x0000000003202000-memory.dmp
memory/3060-179-0x0000000003050000-0x0000000003059000-memory.dmp
memory/3968-180-0x0000000000000000-mapping.dmp
memory/3968-183-0x00000000008C0000-0x0000000000926000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\768.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\Temp\768.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
memory/3060-184-0x0000000000400000-0x000000000301B000-memory.dmp
memory/3684-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\A67.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\Temp\A67.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/1564-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CAA.exe
| MD5 | 4ed8fc021a8c8e43a565f5077fc0e7a9 |
| SHA1 | 7e4f5e2d95567c1a96b8e02f9af1ba7432d9fb2f |
| SHA256 | ac4bf5981d50148ef38fe7ecd09cd0cf3ac92f59acaf189e689ca461a4c60394 |
| SHA512 | 320bc1c3e0ebe5bee625b2dd6ff5572216c970170b27ec0287f0a531341b98be1ab9c90b2a8dda35b6a00df878e0ab0c74b5dfeee8057a4c7f4f104632b5b21c |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
C:\Users\Admin\AppData\Local\Temp\CAA.exe
| MD5 | 4ed8fc021a8c8e43a565f5077fc0e7a9 |
| SHA1 | 7e4f5e2d95567c1a96b8e02f9af1ba7432d9fb2f |
| SHA256 | ac4bf5981d50148ef38fe7ecd09cd0cf3ac92f59acaf189e689ca461a4c60394 |
| SHA512 | 320bc1c3e0ebe5bee625b2dd6ff5572216c970170b27ec0287f0a531341b98be1ab9c90b2a8dda35b6a00df878e0ab0c74b5dfeee8057a4c7f4f104632b5b21c |
memory/2864-193-0x0000000000000000-mapping.dmp
memory/3876-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/2844-198-0x0000000000000000-mapping.dmp
memory/2840-197-0x0000000000000000-mapping.dmp
memory/348-196-0x0000000000400000-0x0000000003013000-memory.dmp
memory/348-202-0x000000000317D000-0x0000000003192000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/3912-203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/3060-207-0x0000000000400000-0x000000000301B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/4752-210-0x0000000008720000-0x00000000087B2000-memory.dmp
memory/4380-209-0x0000000000000000-mapping.dmp
memory/4280-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/4752-214-0x00000000087C0000-0x0000000008826000-memory.dmp
memory/4284-212-0x0000000000000000-mapping.dmp
memory/796-211-0x0000000000000000-mapping.dmp
memory/872-215-0x0000000000000000-mapping.dmp
memory/5096-222-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\53adca12-92b0-4fdc-86e4-430ee9c85918\D6ED.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/3160-223-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4156-220-0x0000000000000000-mapping.dmp
memory/4460-219-0x0000000000000000-mapping.dmp
memory/5060-218-0x0000000000000000-mapping.dmp
memory/3084-217-0x0000000000000000-mapping.dmp
memory/4404-216-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/4752-227-0x000000000315D000-0x000000000318B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/2660-230-0x0000000000000000-mapping.dmp
memory/4160-229-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/2760-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe
| MD5 | bdb4e8663e6eb546a2bde8f8e3e9cdb4 |
| SHA1 | 3750742d25938f8cab8b98c3392f6cbdfd5b6a62 |
| SHA256 | 8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5 |
| SHA512 | 71e411938423ec77111b9e7fd896c6fd4b6e958634042bf45a2f97168da5ac7e10891d707af30b34461b937e45c9c71806989c9df10a30ab71de0050d9ca2a28 |
memory/2760-237-0x0000000000E20000-0x00000000015C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe
| MD5 | bdb4e8663e6eb546a2bde8f8e3e9cdb4 |
| SHA1 | 3750742d25938f8cab8b98c3392f6cbdfd5b6a62 |
| SHA256 | 8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5 |
| SHA512 | 71e411938423ec77111b9e7fd896c6fd4b6e958634042bf45a2f97168da5ac7e10891d707af30b34461b937e45c9c71806989c9df10a30ab71de0050d9ca2a28 |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
memory/4028-238-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\build_2023-01-06_10-15_protected.exe
| MD5 | 8ddbffe44165d9aaa1278b9042b0d041 |
| SHA1 | a4a7d68b7bd88fff878df1f68791650024de8873 |
| SHA256 | 7422caf5591db9f4db9450fa7999a62be9cb9925449df1a1ea2a844d6d584af9 |
| SHA512 | 8d53534ce423db3f4e95b020ae8c4f45caf896c489906bd4d0ccb194a7419376b2b79a40159d6814e661e89ee0395e6725eefd81fd48d72ca9ca40e9c7e862c9 |
C:\Users\Admin\AppData\Local\Temp\build_2023-01-06_10-15_protected.exe
| MD5 | 8ddbffe44165d9aaa1278b9042b0d041 |
| SHA1 | a4a7d68b7bd88fff878df1f68791650024de8873 |
| SHA256 | 7422caf5591db9f4db9450fa7999a62be9cb9925449df1a1ea2a844d6d584af9 |
| SHA512 | 8d53534ce423db3f4e95b020ae8c4f45caf896c489906bd4d0ccb194a7419376b2b79a40159d6814e661e89ee0395e6725eefd81fd48d72ca9ca40e9c7e862c9 |
memory/1164-241-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
| MD5 | 70f3bc193dfa56b78f3e6e4f800f701f |
| SHA1 | 1e5598f2de49fed2e81f3dd8630c7346a2b89487 |
| SHA256 | 3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1 |
| SHA512 | 3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1 |
C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
| MD5 | 70f3bc193dfa56b78f3e6e4f800f701f |
| SHA1 | 1e5598f2de49fed2e81f3dd8630c7346a2b89487 |
| SHA256 | 3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1 |
| SHA512 | 3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1 |
C:\Users\Admin\AppData\Local\Temp\nsc4DB4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
memory/1164-247-0x00000000030C1000-0x00000000030C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsc4DB4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsc4DB4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
memory/1564-248-0x000000000341D000-0x000000000344B000-memory.dmp
memory/1564-249-0x0000000000400000-0x000000000302C000-memory.dmp
memory/4268-250-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D6ED.exe
| MD5 | 6e327dfaf7c938622faf253bf3811b1f |
| SHA1 | f465857772cb95a80dade25c65accd1a125b5b0b |
| SHA256 | 8a519dd3c4b60bba2789f6f9ca26bcdb6adfc32f6acc327e55b0274c395328c6 |
| SHA512 | 1a9670d4bf91f81bf9d45009bf6c89aa78dda0ae1432f028376e01c16ac766e869998237dd35928325a2a82800b23655c014f53f00ef49b051720d3272ee4321 |
memory/5096-254-0x0000000004D7A000-0x0000000004E0C000-memory.dmp
memory/4268-253-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4268-255-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 411cd537dcecbf901759b8e6c1bdb076 |
| SHA1 | 655df9870867a1760ad1a2c967b330c61767437a |
| SHA256 | aa9e441c6cf813efd9ba76fe4ae52d884a5c7d222ed221903c42f09bc14eb7db |
| SHA512 | ea780f875c86f8694f67d236a0af066b952862356edb681375e6c387103a91ce085345359f8fe83dd630d310ee6b7637512e5868951c4c257daa411ab9c03e71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 7c56401cb6bd1ae402e06f0fe35f81c4 |
| SHA1 | b82bbb9fa39266796cafcd308ef4300fc92e3399 |
| SHA256 | 0c58c7bc18d38a3096da6f3575f1c6f8d79b69382d8e89bb5fca917d3cdb7f65 |
| SHA512 | 2ea607c2dc04c8ef34ecb4c4bd297e0f0882b179303565863d1745172322133b78186fa04334e82c135e25fd717719ceec917f49682a4eac37034ea87bb2b6f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 6c4a4b8f4d735135e1b194f78e8d50db |
| SHA1 | 1473675bab14c5634259fa0c10dac677dc3334d8 |
| SHA256 | 8b93c0e891caf5636a3bec727c527dbe8f165d02d78b438b8e462ed3742505ee |
| SHA512 | 838ad98e7788271ede90036242590a41bc2a719c6bdf16882022a016bec42af7cc393f719d86a11a16b3a4739b3fa9133f54d3d796c2b05381de4964878a922c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | fbaa97f40d6e8c5bfc9e39a2ac07b33d |
| SHA1 | 5d99aac184c0e11b242a5912fe077dccd7d73900 |
| SHA256 | ea81c95b5611bb1342e70f7619df036721bfa3a9c6e3486d016e62459064fa82 |
| SHA512 | 33fb687c37a7c8a90c646aee891b6b5b0bfdb9893920d327f244d4baa8ac49a3f13c6c4127098bd44905c6cae475397532fedea87b6f75e85708631e145dbdd7 |
memory/4268-260-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4752-261-0x0000000008FD0000-0x0000000009192000-memory.dmp
memory/4752-262-0x00000000091B0000-0x00000000096DC000-memory.dmp
memory/4028-263-0x0000000002E96000-0x0000000002EC3000-memory.dmp
memory/4028-264-0x0000000002FC0000-0x000000000300C000-memory.dmp
memory/4028-265-0x0000000000400000-0x0000000002C57000-memory.dmp
memory/4964-266-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/4752-269-0x0000000000400000-0x0000000003034000-memory.dmp
memory/2128-270-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4724-273-0x0000000000000000-mapping.dmp
memory/1564-274-0x000000000341D000-0x000000000344B000-memory.dmp
memory/4916-275-0x0000000000000000-mapping.dmp
memory/4916-276-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4964-279-0x00000000006E8000-0x0000000000716000-memory.dmp
memory/4916-282-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1564-281-0x0000000000400000-0x000000000302C000-memory.dmp
memory/4964-280-0x0000000000610000-0x000000000065C000-memory.dmp
memory/4916-278-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\7fe41e23-2656-426e-9fa7-72c74a741448\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/4916-283-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4268-284-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4028-285-0x0000000002E96000-0x0000000002EC3000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 3fea91ae2471b1d07bac90a82024aab1 |
| SHA1 | 0c477d60b74eb64eeeeb240704806d1556ef24fe |
| SHA256 | 49549d61bf7bb1347bf0755bd96d0b14d31e809588a69ddcb327f174c2ce7afe |
| SHA512 | c55617ea92747a56fdb740fed8c23f540626a9870cce10bbb93808eab6f50f9b5626115fdd3110890c13586e49171dcd6775e330b0f0e5659fd50b2119cd6d5d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | a41aaec3f277a090feba6f41b4371b6e |
| SHA1 | 4e06793a32fc28da92733679273d51736afa66bd |
| SHA256 | dddfca0ee0ce9d9210a653f6a89fb147315adc7ebea04bad60deede36f859d54 |
| SHA512 | f890e43f0708ac51a4d13baf28be7e7a1e1119361478ab05683eaa4ffb6bd9d7d219ffa32a3904b077ea51309142423af1e91540b4c481eb6dd4453ca6c3e2b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 0feddf7ad4399fe0fb73f1776eaf02aa |
| SHA1 | bebf64df114e8418a9fbd926f207b57deda05605 |
| SHA256 | ca56b0942aa00af4e8aff089f36d68c98937de7ea4d5d3c9d4ec368441faae8f |
| SHA512 | 39e7b8a63e94be1a563b4e593117afafe2cd7a588e94357f557687831c831fb8a06fb2169c7741daed2d6448bda067ea3dc2f9219928b4fccd11e152b8d09f46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 1e978948a352b7ce6a877f7ad5546d5b |
| SHA1 | 9437d8eaf42688ad776e5e169fb547e5c849cb10 |
| SHA256 | 2cf5061f505f7ffb2e9a0c4155ead652d60a7039ff750a1a73a47eb1af85e973 |
| SHA512 | 1fe608daf3a71726fb15bdc398a424e45a99b10c9b85bcdeae9b9b0ab8d6aa307abcdd46bdbdaadc0dce85dd96d2b1a72d8944ca889df24d4189d5965bb83822 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
| MD5 | dd0d632767cb8294c29edc74c1aff16a |
| SHA1 | 0418b505849fa635000de3fc2e740d44263348b8 |
| SHA256 | 7cccca5db29d4501d30c3a2c1c3631dbae83e33d51aff36245634eea30d8cc38 |
| SHA512 | 64df393e7e251caee8d134a89fc6b0305d7bc7b49c3be4ebeed4e215184ec516e178eafa2cfc95f5957dc06d05f5d685b0d2bbc8917e4d5de73852aa550ef580 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
| MD5 | 95f9f6651ffe5488cb8e145ca3099420 |
| SHA1 | 9f4ec20cc1001b9f2cbaf5142b711fd75cf114f2 |
| SHA256 | 29722d14136bc151ec14f85bbf1d9f1f687e876fcb556c432c3722cb0898a8a5 |
| SHA512 | e041b4607d77781b194ddfbef293b42388c19a9dcbaebd1e3812aca38aaee67650d1ec458ecd3c5d2152f3f90460007e55083f2d05899ac0b4165da6f0d14e78 |
memory/4916-292-0x0000000051320000-0x00000000513B2000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/4916-313-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4140-314-0x0000000000000000-mapping.dmp
memory/4972-315-0x0000000000000000-mapping.dmp
memory/4916-316-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3980-317-0x0000000000000000-mapping.dmp
memory/3872-318-0x0000000000000000-mapping.dmp
memory/2256-319-0x0000000000000000-mapping.dmp
memory/4140-320-0x0000000004D16000-0x0000000004DEA000-memory.dmp
memory/4140-321-0x0000000004DF0000-0x0000000004F05000-memory.dmp
memory/4140-322-0x0000000000400000-0x00000000030DA000-memory.dmp
memory/540-323-0x0000000000000000-mapping.dmp
memory/1352-324-0x0000000000000000-mapping.dmp
memory/4140-325-0x0000000000400000-0x00000000030DA000-memory.dmp
memory/2256-326-0x00000000061B0000-0x0000000006CF1000-memory.dmp
memory/2256-327-0x0000000004430000-0x0000000004570000-memory.dmp
memory/2256-328-0x0000000004430000-0x0000000004570000-memory.dmp
memory/2256-329-0x00000000061B0000-0x0000000006CF1000-memory.dmp
memory/2256-330-0x0000000004430000-0x0000000004570000-memory.dmp
memory/2256-331-0x0000000004430000-0x0000000004570000-memory.dmp
memory/2256-333-0x0000000004430000-0x0000000004570000-memory.dmp
memory/2256-332-0x0000000004430000-0x0000000004570000-memory.dmp
memory/4516-334-0x00007FF7F6866890-mapping.dmp
memory/4516-335-0x000001C48EBC0000-0x000001C48ED00000-memory.dmp
memory/4516-336-0x000001C48EBC0000-0x000001C48ED00000-memory.dmp
memory/4516-337-0x0000000000920000-0x0000000000BC1000-memory.dmp
memory/4516-338-0x000001C48ED30000-0x000001C48EFE2000-memory.dmp
memory/2256-339-0x00000000061B0000-0x0000000006CF1000-memory.dmp