Analysis Overview
SHA256
6fb4667290e8cf88e1e749120d054be161eb5ed1eaf2d1e2eb51c6121bcbce5d
Threat Level: Known bad
The file c381deebc66153d21111d53654b38270.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Djvu Ransomware
Vidar
Detected Djvu ransomware
Detects Smokeloader packer
SmokeLoader
Amadey
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Modifies file permissions
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Script User-Agent
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-07 07:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-07 07:06
Reported
2023-01-07 07:08
Platform
win7-20220901-en
Max time kernel
150s
Max time network
49s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe
"C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe"
Network
Files
memory/1352-54-0x0000000075B51000-0x0000000075B53000-memory.dmp
memory/1352-55-0x000000000309B000-0x00000000030B1000-memory.dmp
memory/1352-56-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1352-57-0x0000000000400000-0x0000000002C3D000-memory.dmp
memory/1352-58-0x0000000000400000-0x0000000002C3D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-07 07:06
Reported
2023-01-07 07:08
Platform
win10v2004-20220812-en
Max time kernel
152s
Max time network
140s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
SmokeLoader
Vidar
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E489.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E64F.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Player3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3003.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\C630.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\C630.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dab5a192-a63b-4fff-ad09-94bb889bd9b8\\C630.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\C630.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1184 set thread context of 112 | N/A | C:\Users\Admin\AppData\Local\Temp\C630.exe | C:\Users\Admin\AppData\Local\Temp\C630.exe |
| PID 4448 set thread context of 3576 | N/A | C:\Users\Admin\AppData\Local\Temp\C630.exe | C:\Users\Admin\AppData\Local\Temp\C630.exe |
| PID 488 set thread context of 4888 | N/A | C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe | C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\C311.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\C311.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\C311.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C311.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe
"C:\Users\Admin\AppData\Local\Temp\c381deebc66153d21111d53654b38270.exe"
C:\Users\Admin\AppData\Local\Temp\C311.exe
C:\Users\Admin\AppData\Local\Temp\C311.exe
C:\Users\Admin\AppData\Local\Temp\C46A.exe
C:\Users\Admin\AppData\Local\Temp\C46A.exe
C:\Users\Admin\AppData\Local\Temp\C630.exe
C:\Users\Admin\AppData\Local\Temp\C630.exe
C:\Users\Admin\AppData\Local\Temp\D479.exe
C:\Users\Admin\AppData\Local\Temp\D479.exe
C:\Users\Admin\AppData\Local\Temp\DAA5.exe
C:\Users\Admin\AppData\Local\Temp\DAA5.exe
C:\Users\Admin\AppData\Local\Temp\E489.exe
C:\Users\Admin\AppData\Local\Temp\E489.exe
C:\Users\Admin\AppData\Local\Temp\E64F.exe
C:\Users\Admin\AppData\Local\Temp\E64F.exe
C:\Users\Admin\AppData\Local\Temp\E64F.exe
"C:\Users\Admin\AppData\Local\Temp\E64F.exe" -h
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe"
C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe" -h
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\C630.exe
C:\Users\Admin\AppData\Local\Temp\C630.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3452 -ip 3452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5096 -ip 5096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 600
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 600
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\dab5a192-a63b-4fff-ad09-94bb889bd9b8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\C630.exe
"C:\Users\Admin\AppData\Local\Temp\C630.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\C630.exe
"C:\Users\Admin\AppData\Local\Temp\C630.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe
"C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe"
C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build3.exe
"C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe
"C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4888 -ip 4888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1880
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 2452 -ip 2452
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2452 -s 684
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.248.3.254:80 | tcp | |
| N/A | 8.248.3.254:80 | tcp | |
| N/A | 8.248.3.254:80 | tcp | |
| N/A | 8.8.8.8:53 | potunulit.org | udp |
| N/A | 188.114.97.0:80 | potunulit.org | tcp |
| N/A | 8.8.8.8:53 | polyzi.com | udp |
| N/A | 95.217.49.230:443 | polyzi.com | tcp |
| N/A | 8.8.8.8:53 | lazydowns.com | udp |
| N/A | 68.65.123.54:443 | lazydowns.com | tcp |
| N/A | 8.8.8.8:53 | cleanpcsoft.com | udp |
| N/A | 198.54.115.119:443 | cleanpcsoft.com | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 8.8.8.8:53 | aaa.apiaaaeg.com | udp |
| N/A | 207.246.94.159:80 | aaa.apiaaaeg.com | tcp |
| N/A | 207.246.94.159:80 | aaa.apiaaaeg.com | tcp |
| N/A | 8.8.8.8:53 | xv.yxzgamen.com | udp |
| N/A | 188.114.97.0:443 | xv.yxzgamen.com | tcp |
| N/A | 188.114.97.0:443 | xv.yxzgamen.com | tcp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 8.8.8.8:53 | filebin.net | udp |
| N/A | 185.47.40.36:80 | filebin.net | tcp |
| N/A | 185.47.40.36:443 | filebin.net | tcp |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 91.104.55.129:80 | spaceris.com | tcp |
| N/A | 109.102.255.230:80 | uaery.top | tcp |
| N/A | 91.104.55.129:80 | spaceris.com | tcp |
| N/A | 207.246.94.159:80 | aaa.apiaaaeg.com | tcp |
| N/A | 8.8.8.8:53 | vatra.at | udp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 23.106.122.87:80 | tcp | |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 94.130.190.48:80 | 94.130.190.48 | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 187.212.192.17:80 | vatra.at | tcp |
| N/A | 207.246.94.159:80 | aaa.apiaaaeg.com | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.221.35:443 | www.facebook.com | tcp |
| N/A | 207.246.94.159:80 | aaa.apiaaaeg.com | tcp |
Files
memory/5004-132-0x0000000002F7D000-0x0000000002F92000-memory.dmp
memory/5004-133-0x0000000002E90000-0x0000000002E99000-memory.dmp
memory/5004-134-0x0000000000400000-0x0000000002C3D000-memory.dmp
memory/5004-135-0x0000000000400000-0x0000000002C3D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C311.exe
| MD5 | b3c709ec3db8b56e243107a62bdf7754 |
| SHA1 | 0ffce5826154baf204be7c78faa80b4d36995fec |
| SHA256 | 2970128d3ff085876f74afbdd1cf2c65eefb2aa13fff372d4bf8e10038df0b3f |
| SHA512 | d55a3a94c4be5f5c0b435e08d0450bdc515bd827b1b0d138dc9d192379a85d8f8fc6878359106305196724679832803ee8650bb05f4cb70ef101dee0bf134e09 |
memory/1148-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C311.exe
| MD5 | b3c709ec3db8b56e243107a62bdf7754 |
| SHA1 | 0ffce5826154baf204be7c78faa80b4d36995fec |
| SHA256 | 2970128d3ff085876f74afbdd1cf2c65eefb2aa13fff372d4bf8e10038df0b3f |
| SHA512 | d55a3a94c4be5f5c0b435e08d0450bdc515bd827b1b0d138dc9d192379a85d8f8fc6878359106305196724679832803ee8650bb05f4cb70ef101dee0bf134e09 |
memory/3452-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C46A.exe
| MD5 | 532057761d7a7a742bb77725c583f49c |
| SHA1 | 3e8ec071f62a5a79b4299a82e7babe8678f1afdd |
| SHA256 | dcc65ead78d95a622d946b7a65293a869676142f067ecfdb88a18650c9a5f2bd |
| SHA512 | 0dfeb45d1f4f6a7f1d201f71fcb9956d4b05905271ce4d122e7bb06896aaad36b9a3955ae306466a839cdcc0ab6dd6248754b987bf33e08b4c85357b94012ac7 |
C:\Users\Admin\AppData\Local\Temp\C46A.exe
| MD5 | 532057761d7a7a742bb77725c583f49c |
| SHA1 | 3e8ec071f62a5a79b4299a82e7babe8678f1afdd |
| SHA256 | dcc65ead78d95a622d946b7a65293a869676142f067ecfdb88a18650c9a5f2bd |
| SHA512 | 0dfeb45d1f4f6a7f1d201f71fcb9956d4b05905271ce4d122e7bb06896aaad36b9a3955ae306466a839cdcc0ab6dd6248754b987bf33e08b4c85357b94012ac7 |
memory/1184-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C630.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
C:\Users\Admin\AppData\Local\Temp\C630.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/1800-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D479.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\D479.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/1800-148-0x0000000140000000-0x000000014061A000-memory.dmp
memory/1052-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAA5.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\DAA5.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/1052-155-0x0000000140000000-0x000000014061A000-memory.dmp
memory/2900-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E489.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\Temp\E489.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
memory/952-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E64F.exe
| MD5 | 63b232fb041000bc2f8afbc39e77f156 |
| SHA1 | b846d01869f608bb8244fb37ac06769dc1e6315b |
| SHA256 | 99bebc78a2a17913bd666188af9c5f8ccbe59b85c78f3b17275f89bf3d583947 |
| SHA512 | 4c1ef1c31ac81a1b1975777df0d5430bc893b28a82f2c25f53b868d9f95f485c24e78b4f822e4d41e421724689cc9acf4ed35018638f8a01e5ad0dcd34fdf602 |
C:\Users\Admin\AppData\Local\Temp\E64F.exe
| MD5 | 63b232fb041000bc2f8afbc39e77f156 |
| SHA1 | b846d01869f608bb8244fb37ac06769dc1e6315b |
| SHA256 | 99bebc78a2a17913bd666188af9c5f8ccbe59b85c78f3b17275f89bf3d583947 |
| SHA512 | 4c1ef1c31ac81a1b1975777df0d5430bc893b28a82f2c25f53b868d9f95f485c24e78b4f822e4d41e421724689cc9acf4ed35018638f8a01e5ad0dcd34fdf602 |
memory/2900-165-0x0000000000D70000-0x0000000000DD6000-memory.dmp
memory/3584-167-0x0000000000000000-mapping.dmp
memory/1784-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E64F.exe
| MD5 | 63b232fb041000bc2f8afbc39e77f156 |
| SHA1 | b846d01869f608bb8244fb37ac06769dc1e6315b |
| SHA256 | 99bebc78a2a17913bd666188af9c5f8ccbe59b85c78f3b17275f89bf3d583947 |
| SHA512 | 4c1ef1c31ac81a1b1975777df0d5430bc893b28a82f2c25f53b868d9f95f485c24e78b4f822e4d41e421724689cc9acf4ed35018638f8a01e5ad0dcd34fdf602 |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/824-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/8-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/3792-177-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/2484-179-0x0000000000000000-mapping.dmp
memory/3380-180-0x0000000000000000-mapping.dmp
memory/1836-181-0x0000000000000000-mapping.dmp
memory/1840-182-0x0000000000000000-mapping.dmp
memory/4812-184-0x0000000000000000-mapping.dmp
memory/1148-183-0x00000000032CD000-0x00000000032E2000-memory.dmp
memory/1148-185-0x0000000003150000-0x0000000003159000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
memory/112-191-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1184-192-0x00000000048DE000-0x000000000496F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C630.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/1184-194-0x0000000004A00000-0x0000000004B1B000-memory.dmp
memory/3160-195-0x0000000000000000-mapping.dmp
memory/112-189-0x0000000000400000-0x0000000000537000-memory.dmp
memory/112-188-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/112-193-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2728-197-0x0000000000000000-mapping.dmp
memory/1148-199-0x0000000000400000-0x0000000003010000-memory.dmp
memory/5096-198-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/2256-203-0x0000000000000000-mapping.dmp
memory/3452-204-0x0000000000400000-0x0000000002C40000-memory.dmp
memory/112-205-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3472-206-0x0000000000000000-mapping.dmp
memory/3452-207-0x0000000002DC7000-0x0000000002DDC000-memory.dmp
memory/1988-208-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\dab5a192-a63b-4fff-ad09-94bb889bd9b8\C630.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/4448-211-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C630.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/112-213-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3576-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C630.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/3576-217-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4448-218-0x0000000002E48000-0x0000000002ED9000-memory.dmp
memory/3576-219-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 411cd537dcecbf901759b8e6c1bdb076 |
| SHA1 | 655df9870867a1760ad1a2c967b330c61767437a |
| SHA256 | aa9e441c6cf813efd9ba76fe4ae52d884a5c7d222ed221903c42f09bc14eb7db |
| SHA512 | ea780f875c86f8694f67d236a0af066b952862356edb681375e6c387103a91ce085345359f8fe83dd630d310ee6b7637512e5868951c4c257daa411ab9c03e71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | c076bf9d99fbb64b33ff60bd50293ff0 |
| SHA1 | c383a778eab0cfec7ccf91676d2d70de037f56f3 |
| SHA256 | 4e10f97b5158332c115a96e9cd53f1adef32f11872002bc9b10b0cbc71a13fbe |
| SHA512 | e3dd773426258f62e1140fd699cdf799ff703fcaa9506b687d209cfcc51ad6c3be78729b7b18a418680a8c0f316836b29b7e70dd88988efb09fb544fb675abd7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 7c56401cb6bd1ae402e06f0fe35f81c4 |
| SHA1 | b82bbb9fa39266796cafcd308ef4300fc92e3399 |
| SHA256 | 0c58c7bc18d38a3096da6f3575f1c6f8d79b69382d8e89bb5fca917d3cdb7f65 |
| SHA512 | 2ea607c2dc04c8ef34ecb4c4bd297e0f0882b179303565863d1745172322133b78186fa04334e82c135e25fd717719ceec917f49682a4eac37034ea87bb2b6f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 33fe8a9048ebaea0c9bd83fe0e8ea889 |
| SHA1 | 1b45afee8c866c399c3368a4c81c38a0d15c8f17 |
| SHA256 | ad3976f5d63d34da17652d729553328a948a66345c4c203c228c5b9faa25524d |
| SHA512 | 1542f2f49c3908fe3f16daef831ba5651d17a3372d0de4b53f8e8c9ccc60f0b3eaa5e4862e5ba58493c7d9e4e3a5fd09c21dbabb9b2aedf41bfce455ed532eca |
memory/3576-225-0x0000000000400000-0x0000000000537000-memory.dmp
memory/488-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/4948-229-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/5012-232-0x0000000000000000-mapping.dmp
memory/4888-233-0x0000000000000000-mapping.dmp
memory/4888-234-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\ced61945-4657-4770-a6ed-866588337943\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/4888-236-0x0000000000400000-0x0000000000460000-memory.dmp
memory/488-237-0x00000000004AB000-0x00000000004D8000-memory.dmp
memory/488-239-0x0000000002070000-0x00000000020BC000-memory.dmp
memory/4888-238-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4888-240-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3576-241-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4888-242-0x00000000509C0000-0x0000000050A52000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/4888-263-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4888-264-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3184-265-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
memory/2452-268-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/208-273-0x0000000000000000-mapping.dmp