Analysis Overview
SHA256
3b3ad2db486dc73af2b977d5823f21248bdd533b5b4c8ebfc5f4363feb627ef3
Threat Level: Known bad
The file b474d30039b51a5fd11deda319dde90d.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Vidar
Amadey
Detects Smokeloader packer
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Blocklisted process makes network request
Executes dropped EXE
Downloads MZ/PE file
VMProtect packed file
Loads dropped DLL
Checks computer location settings
Modifies file permissions
Reads user/profile data of web browsers
Checks installed software on the system
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Script User-Agent
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-07 09:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-07 09:11
Reported
2023-01-07 09:13
Platform
win7-20221111-en
Max time kernel
150s
Max time network
30s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe
"C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe"
Network
Files
memory/852-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
memory/852-55-0x00000000031DB000-0x00000000031F1000-memory.dmp
memory/852-56-0x0000000000220000-0x0000000000229000-memory.dmp
memory/852-57-0x0000000000400000-0x0000000003010000-memory.dmp
memory/852-58-0x0000000000400000-0x0000000003010000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-07 09:11
Reported
2023-01-07 09:13
Platform
win10v2004-20220901-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
SmokeLoader
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7B20.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7D25.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Player3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3003.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5E3F.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5E3F.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fefb7108-f622-40bb-b01a-6cf86e8c0a99\\5E3F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5E3F.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2988 set thread context of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\5E3F.exe | C:\Users\Admin\AppData\Local\Temp\5E3F.exe |
| PID 1536 set thread context of 4256 | N/A | C:\Users\Admin\AppData\Local\Temp\5E3F.exe | C:\Users\Admin\AppData\Local\Temp\5E3F.exe |
| PID 4016 set thread context of 5096 | N/A | C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe | C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe |
| PID 4484 set thread context of 2296 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5B7E.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1724.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5CD6.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5CD6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5CD6.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000027569249100054656d7000003a0009000400efbe21550a58275692492e00000000000000000000000000000000000000000000000000173a2701540065006d007000000014000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5CD6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe
"C:\Users\Admin\AppData\Local\Temp\b474d30039b51a5fd11deda319dde90d.exe"
C:\Users\Admin\AppData\Local\Temp\5B7E.exe
C:\Users\Admin\AppData\Local\Temp\5B7E.exe
C:\Users\Admin\AppData\Local\Temp\5CD6.exe
C:\Users\Admin\AppData\Local\Temp\5CD6.exe
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
C:\Users\Admin\AppData\Local\Temp\6AA4.exe
C:\Users\Admin\AppData\Local\Temp\6AA4.exe
C:\Users\Admin\AppData\Local\Temp\6F67.exe
C:\Users\Admin\AppData\Local\Temp\6F67.exe
C:\Users\Admin\AppData\Local\Temp\7B20.exe
C:\Users\Admin\AppData\Local\Temp\7B20.exe
C:\Users\Admin\AppData\Local\Temp\7D25.exe
C:\Users\Admin\AppData\Local\Temp\7D25.exe
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe"
C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
C:\Users\Admin\AppData\Local\Temp\7D25.exe
"C:\Users\Admin\AppData\Local\Temp\7D25.exe" -h
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe" -h
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2256 -ip 2256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 364
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\fefb7108-f622-40bb-b01a-6cf86e8c0a99" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3052 -ip 3052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 600
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
"C:\Users\Admin\AppData\Local\Temp\5E3F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
"C:\Users\Admin\AppData\Local\Temp\5E3F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe
"C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe"
C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build3.exe
"C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe
"C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe"
C:\Users\Admin\AppData\Local\Temp\1724.exe
C:\Users\Admin\AppData\Local\Temp\1724.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4144 -ip 4144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 556
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4992 -ip 4992
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4992 -s 688
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15611
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.12:443 | tcp | |
| N/A | 8.8.8.8:53 | potunulit.org | udp |
| N/A | 188.114.97.0:80 | potunulit.org | tcp |
| N/A | 8.8.8.8:53 | polyzi.com | udp |
| N/A | 95.217.49.230:443 | polyzi.com | tcp |
| N/A | 8.8.8.8:53 | lazydowns.com | udp |
| N/A | 68.65.123.54:443 | lazydowns.com | tcp |
| N/A | 8.8.8.8:53 | cleanpcsoft.com | udp |
| N/A | 198.54.115.119:443 | cleanpcsoft.com | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 8.238.21.254:80 | tcp | |
| N/A | 8.238.21.254:80 | tcp | |
| N/A | 8.238.21.254:80 | tcp | |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 8.8.8.8:53 | aaa.apiaaaeg.com | udp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 8.8.8.8:53 | xv.yxzgamen.com | udp |
| N/A | 188.114.96.0:443 | xv.yxzgamen.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 188.114.96.0:443 | xv.yxzgamen.com | tcp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 31.167.195.81:80 | spaceris.com | tcp |
| N/A | 109.98.58.98:80 | uaery.top | tcp |
| N/A | 31.167.195.81:80 | spaceris.com | tcp |
| N/A | 8.8.8.8:53 | vatra.at | udp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 194.135.33.42:80 | 194.135.33.42 | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 94.130.190.48:80 | 94.130.190.48 | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 23.236.181.126:443 | 23.236.181.126 | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 187.170.238.164:80 | vatra.at | tcp |
| N/A | 127.0.0.1:15611 | tcp | |
| N/A | 127.0.0.1:1312 | tcp | |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.221.35:443 | www.facebook.com | tcp |
| N/A | 157.240.221.35:443 | www.facebook.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
Files
memory/4844-132-0x000000000323D000-0x0000000003252000-memory.dmp
memory/4844-133-0x0000000003080000-0x0000000003089000-memory.dmp
memory/4844-134-0x0000000000400000-0x0000000003010000-memory.dmp
memory/4844-135-0x0000000000400000-0x0000000003010000-memory.dmp
memory/2256-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5B7E.exe
| MD5 | 8e95aa198b3e270c26030485a4029b24 |
| SHA1 | 404974cd71113c5878b84a71c81b7fe0624e7ae1 |
| SHA256 | b1b55c4d774762574e4706d469dfc8609db997059dc2417b500427b9a477ed23 |
| SHA512 | 13486f577f4663d78e06437366e8e02fab672e7fa87f262133dca406176bde340c32c80debf8d27659116a2d0e52b46304126afd5aed7abf3916d933af8cc856 |
C:\Users\Admin\AppData\Local\Temp\5B7E.exe
| MD5 | 8e95aa198b3e270c26030485a4029b24 |
| SHA1 | 404974cd71113c5878b84a71c81b7fe0624e7ae1 |
| SHA256 | b1b55c4d774762574e4706d469dfc8609db997059dc2417b500427b9a477ed23 |
| SHA512 | 13486f577f4663d78e06437366e8e02fab672e7fa87f262133dca406176bde340c32c80debf8d27659116a2d0e52b46304126afd5aed7abf3916d933af8cc856 |
C:\Users\Admin\AppData\Local\Temp\5CD6.exe
| MD5 | 532057761d7a7a742bb77725c583f49c |
| SHA1 | 3e8ec071f62a5a79b4299a82e7babe8678f1afdd |
| SHA256 | dcc65ead78d95a622d946b7a65293a869676142f067ecfdb88a18650c9a5f2bd |
| SHA512 | 0dfeb45d1f4f6a7f1d201f71fcb9956d4b05905271ce4d122e7bb06896aaad36b9a3955ae306466a839cdcc0ab6dd6248754b987bf33e08b4c85357b94012ac7 |
C:\Users\Admin\AppData\Local\Temp\5CD6.exe
| MD5 | 532057761d7a7a742bb77725c583f49c |
| SHA1 | 3e8ec071f62a5a79b4299a82e7babe8678f1afdd |
| SHA256 | dcc65ead78d95a622d946b7a65293a869676142f067ecfdb88a18650c9a5f2bd |
| SHA512 | 0dfeb45d1f4f6a7f1d201f71fcb9956d4b05905271ce4d122e7bb06896aaad36b9a3955ae306466a839cdcc0ab6dd6248754b987bf33e08b4c85357b94012ac7 |
memory/740-139-0x0000000000000000-mapping.dmp
memory/2988-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/4360-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6AA4.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\6AA4.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/4360-148-0x0000000140000000-0x000000014061A000-memory.dmp
memory/5112-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6F67.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\6F67.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/5112-155-0x0000000140000000-0x000000014061A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7B20.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\Temp\7B20.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
memory/3100-159-0x0000000000000000-mapping.dmp
memory/3100-163-0x0000000000780000-0x00000000007E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7D25.exe
| MD5 | 63b232fb041000bc2f8afbc39e77f156 |
| SHA1 | b846d01869f608bb8244fb37ac06769dc1e6315b |
| SHA256 | 99bebc78a2a17913bd666188af9c5f8ccbe59b85c78f3b17275f89bf3d583947 |
| SHA512 | 4c1ef1c31ac81a1b1975777df0d5430bc893b28a82f2c25f53b868d9f95f485c24e78b4f822e4d41e421724689cc9acf4ed35018638f8a01e5ad0dcd34fdf602 |
memory/4952-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7D25.exe
| MD5 | 63b232fb041000bc2f8afbc39e77f156 |
| SHA1 | b846d01869f608bb8244fb37ac06769dc1e6315b |
| SHA256 | 99bebc78a2a17913bd666188af9c5f8ccbe59b85c78f3b17275f89bf3d583947 |
| SHA512 | 4c1ef1c31ac81a1b1975777df0d5430bc893b28a82f2c25f53b868d9f95f485c24e78b4f822e4d41e421724689cc9acf4ed35018638f8a01e5ad0dcd34fdf602 |
memory/5040-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/5072-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7D25.exe
| MD5 | 63b232fb041000bc2f8afbc39e77f156 |
| SHA1 | b846d01869f608bb8244fb37ac06769dc1e6315b |
| SHA256 | 99bebc78a2a17913bd666188af9c5f8ccbe59b85c78f3b17275f89bf3d583947 |
| SHA512 | 4c1ef1c31ac81a1b1975777df0d5430bc893b28a82f2c25f53b868d9f95f485c24e78b4f822e4d41e421724689cc9acf4ed35018638f8a01e5ad0dcd34fdf602 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/4336-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/4300-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/3956-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/1000-177-0x0000000000000000-mapping.dmp
memory/1176-180-0x0000000000000000-mapping.dmp
memory/1388-181-0x0000000000000000-mapping.dmp
memory/4120-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/4172-184-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
memory/4752-188-0x0000000000000000-mapping.dmp
memory/4752-191-0x0000000000400000-0x0000000000537000-memory.dmp
memory/740-193-0x0000000002E67000-0x0000000002E7C000-memory.dmp
memory/2988-192-0x0000000002E62000-0x0000000002EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/4752-189-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4752-195-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2988-194-0x0000000004A30000-0x0000000004B4B000-memory.dmp
memory/740-196-0x0000000002CB0000-0x0000000002CB9000-memory.dmp
memory/4980-197-0x0000000000000000-mapping.dmp
memory/740-198-0x0000000000400000-0x0000000002C40000-memory.dmp
memory/2256-199-0x000000000320D000-0x0000000003223000-memory.dmp
memory/2752-200-0x0000000000000000-mapping.dmp
memory/1636-201-0x0000000000000000-mapping.dmp
memory/2256-202-0x0000000000400000-0x0000000003013000-memory.dmp
memory/4440-203-0x0000000000000000-mapping.dmp
memory/3500-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/3052-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\fefb7108-f622-40bb-b01a-6cf86e8c0a99\5E3F.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/4752-208-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4752-211-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1536-210-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/740-213-0x0000000000400000-0x0000000002C40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/4256-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5E3F.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/1536-219-0x000000000482B000-0x00000000048BC000-memory.dmp
memory/4256-218-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4256-220-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 7c56401cb6bd1ae402e06f0fe35f81c4 |
| SHA1 | b82bbb9fa39266796cafcd308ef4300fc92e3399 |
| SHA256 | 0c58c7bc18d38a3096da6f3575f1c6f8d79b69382d8e89bb5fca917d3cdb7f65 |
| SHA512 | 2ea607c2dc04c8ef34ecb4c4bd297e0f0882b179303565863d1745172322133b78186fa04334e82c135e25fd717719ceec917f49682a4eac37034ea87bb2b6f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 411cd537dcecbf901759b8e6c1bdb076 |
| SHA1 | 655df9870867a1760ad1a2c967b330c61767437a |
| SHA256 | aa9e441c6cf813efd9ba76fe4ae52d884a5c7d222ed221903c42f09bc14eb7db |
| SHA512 | ea780f875c86f8694f67d236a0af066b952862356edb681375e6c387103a91ce085345359f8fe83dd630d310ee6b7637512e5868951c4c257daa411ab9c03e71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 69cbc3880a177fdeaa7789281f34a5c9 |
| SHA1 | 0887dcf8bca9def9a89f93b1a2429a1aeec2ae99 |
| SHA256 | 7099c8570cda74a7ab91e8432f8da2c1d835d25631e49fc1d72ae9b56683388b |
| SHA512 | 6e70bd8bc794f08d431fed38811a5fd7b0fbddfc08e972a1f198dced1b10ca46d837af32fbdf61934240e9f405a25b4ae74ac939716e2f02b7b3a7415593af4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | c248ff2fa0f4d9a4bd05e6c815b0d519 |
| SHA1 | 8dd1ae30a26128217230643d40e69a991932c1ac |
| SHA256 | 05770a645acf2c6bac9dcd8aced0047e6fd11592ad15e8b966232ec338a6e3e8 |
| SHA512 | b59f24c7542b55b248ea4b92050c89415f526a1c0f477b4805a7418e8107f654a3004f4e3d4a772bad314497ce83029bd2fa171323fffd2d035826e564cebd0d |
memory/2256-225-0x0000000000400000-0x0000000003013000-memory.dmp
memory/4256-226-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4016-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/4804-230-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/5028-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/5096-234-0x0000000000000000-mapping.dmp
memory/5096-235-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\53820820-8e90-40e0-9b96-6b4cf8b9deb9\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/4016-238-0x00000000004B8000-0x00000000004E6000-memory.dmp
memory/5096-239-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4016-240-0x0000000001F70000-0x0000000001FBC000-memory.dmp
memory/5096-237-0x0000000000400000-0x0000000000460000-memory.dmp
memory/5096-241-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4256-242-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1724.exe
| MD5 | 381e3092856f036dfe6e773b3086a920 |
| SHA1 | c88625006f7efc16e9fa70b66f9cf1a275210b8f |
| SHA256 | 88a881fea5323fa6b6dc147c64e8efc8bd2ae4379541d2cdd6f38d2f3b0a6a99 |
| SHA512 | 692a17b68a93988ebd53947287bec410adba274fbd0df74c5c32af47ec5ec1d09e8b1fe45a4a01d908565b58152b313f3ca692f20ea5487c4a847e2c01c877b0 |
memory/4144-243-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1724.exe
| MD5 | 381e3092856f036dfe6e773b3086a920 |
| SHA1 | c88625006f7efc16e9fa70b66f9cf1a275210b8f |
| SHA256 | 88a881fea5323fa6b6dc147c64e8efc8bd2ae4379541d2cdd6f38d2f3b0a6a99 |
| SHA512 | 692a17b68a93988ebd53947287bec410adba274fbd0df74c5c32af47ec5ec1d09e8b1fe45a4a01d908565b58152b313f3ca692f20ea5487c4a847e2c01c877b0 |
memory/5096-246-0x00000000509B0000-0x0000000050A42000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/5096-267-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4484-268-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp
| MD5 | 9dd70d24b2657a9254b9fd536a4d06d5 |
| SHA1 | 348a1d210d7c4daef8ecdb692eadf3975971e8ee |
| SHA256 | d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd |
| SHA512 | dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6 |
C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp
| MD5 | 9dd70d24b2657a9254b9fd536a4d06d5 |
| SHA1 | 348a1d210d7c4daef8ecdb692eadf3975971e8ee |
| SHA256 | d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd |
| SHA512 | dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6 |
memory/4144-272-0x0000000004F30000-0x0000000005045000-memory.dmp
memory/4144-271-0x0000000004D62000-0x0000000004E36000-memory.dmp
memory/4144-273-0x0000000000400000-0x00000000030D2000-memory.dmp
memory/4216-274-0x0000000000000000-mapping.dmp
memory/5096-275-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4024-276-0x0000000000000000-mapping.dmp
memory/4448-277-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
memory/4992-280-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
memory/4484-282-0x0000000006A10000-0x0000000007551000-memory.dmp
memory/4484-283-0x0000000006A10000-0x0000000007551000-memory.dmp
memory/4484-284-0x0000000004D00000-0x0000000004E40000-memory.dmp
memory/4484-285-0x0000000004D00000-0x0000000004E40000-memory.dmp
memory/4484-286-0x0000000004D00000-0x0000000004E40000-memory.dmp
memory/4484-287-0x0000000004D00000-0x0000000004E40000-memory.dmp
memory/4484-289-0x0000000004D00000-0x0000000004E40000-memory.dmp
memory/4484-290-0x0000000004D79000-0x0000000004D7B000-memory.dmp
memory/2296-291-0x00007FF6E7146890-mapping.dmp
memory/4484-288-0x0000000004D00000-0x0000000004E40000-memory.dmp
memory/2296-292-0x000001E1548C0000-0x000001E154A00000-memory.dmp
memory/2296-293-0x000001E1548C0000-0x000001E154A00000-memory.dmp
memory/2296-294-0x0000000000B20000-0x0000000000DC1000-memory.dmp
memory/2296-295-0x000001E152FF0000-0x000001E1532A2000-memory.dmp
memory/4484-296-0x0000000006A10000-0x0000000007551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1744-300-0x0000000000000000-mapping.dmp