Analysis Overview
SHA256
56e7b574029fa5272d7cdc325ffc8b93878efe5a008a021400fde5e97fd3fa76
Threat Level: Known bad
The file cfd57a3bbe2a49525cc1ff6183cc2085.exe was found to be: Known bad.
Malicious Activity Summary
Vidar
Detected Djvu ransomware
Detects Smokeloader packer
Djvu Ransomware
SmokeLoader
Process spawned unexpected child process
Amadey
Executes dropped EXE
Downloads MZ/PE file
VMProtect packed file
Blocklisted process makes network request
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Script User-Agent
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-07 11:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-07 11:26
Reported
2023-01-07 11:28
Platform
win7-20220812-en
Max time kernel
150s
Max time network
41s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe
"C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe"
Network
Files
memory/1160-54-0x0000000075A91000-0x0000000075A93000-memory.dmp
memory/1160-55-0x000000000028B000-0x00000000002A1000-memory.dmp
memory/1160-56-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/1160-57-0x0000000000400000-0x0000000003013000-memory.dmp
memory/1160-58-0x0000000000400000-0x0000000003013000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-07 11:26
Reported
2023-01-07 11:28
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
SmokeLoader
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\B78D.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Player3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3003.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E3A3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E569.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3003.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\B78D.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\641e7a09-d04b-4345-b2ca-b11503695e4c\\B78D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\B78D.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2564 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\B78D.exe | C:\Users\Admin\AppData\Local\Temp\B78D.exe |
| PID 3172 set thread context of 1468 | N/A | C:\Users\Admin\AppData\Local\Temp\B78D.exe | C:\Users\Admin\AppData\Local\Temp\B78D.exe |
| PID 1984 set thread context of 4356 | N/A | C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe | C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe |
| PID 4388 set thread context of 2864 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\BB58.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\BB58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\BB58.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000027567763100054656d7000003a0009000400efbe6b558a6c275677632e000000000000000000000000000000000000000000000000008787ab00540065006d007000000014000000 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | N/A | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BB58.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EB37.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ED3B.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe
"C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe"
C:\Users\Admin\AppData\Local\Temp\B78D.exe
C:\Users\Admin\AppData\Local\Temp\B78D.exe
C:\Users\Admin\AppData\Local\Temp\BA2E.exe
C:\Users\Admin\AppData\Local\Temp\BA2E.exe
C:\Users\Admin\AppData\Local\Temp\BB58.exe
C:\Users\Admin\AppData\Local\Temp\BB58.exe
C:\Users\Admin\AppData\Local\Temp\CF1F.exe
C:\Users\Admin\AppData\Local\Temp\CF1F.exe
C:\Users\Admin\AppData\Local\Temp\B78D.exe
C:\Users\Admin\AppData\Local\Temp\B78D.exe
C:\Users\Admin\AppData\Local\Temp\D3B4.exe
C:\Users\Admin\AppData\Local\Temp\D3B4.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 32 -ip 32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 340
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\641e7a09-d04b-4345-b2ca-b11503695e4c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\E3A3.exe
C:\Users\Admin\AppData\Local\Temp\E3A3.exe
C:\Users\Admin\AppData\Local\Temp\E569.exe
C:\Users\Admin\AppData\Local\Temp\E569.exe
C:\Users\Admin\AppData\Local\Temp\B78D.exe
"C:\Users\Admin\AppData\Local\Temp\B78D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\EB37.exe
C:\Users\Admin\AppData\Local\Temp\EB37.exe
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe"
C:\Users\Admin\AppData\Local\Temp\ED3B.exe
C:\Users\Admin\AppData\Local\Temp\ED3B.exe
C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3912 -ip 3912
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1556
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe" -h
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\3003.exe
"C:\Users\Admin\AppData\Local\Temp\3003.exe" -h
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 224 -ip 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 608
C:\Users\Admin\AppData\Local\Temp\B78D.exe
"C:\Users\Admin\AppData\Local\Temp\B78D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\build_2023-01-06_10-15_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_2023-01-06_10-15_protected.exe"
C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe
"C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe"
C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build3.exe
"C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe
"C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4916 -ip 4916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2404 -ip 2404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1812
C:\Users\Admin\AppData\Local\Temp\AEC7.exe
C:\Users\Admin\AppData\Local\Temp\AEC7.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 556
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 4656 -ip 4656
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4656 -s 680
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15585
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | potunulit.org | udp |
| N/A | 188.114.96.0:80 | potunulit.org | tcp |
| N/A | 8.8.8.8:53 | polyzi.com | udp |
| N/A | 95.217.49.230:443 | polyzi.com | tcp |
| N/A | 8.8.8.8:53 | lazydowns.com | udp |
| N/A | 68.65.123.54:443 | lazydowns.com | tcp |
| N/A | 8.8.8.8:53 | cleanpcsoft.com | udp |
| N/A | 198.54.115.119:443 | cleanpcsoft.com | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.214.35:443 | www.facebook.com | tcp |
| N/A | 157.240.214.35:443 | www.facebook.com | tcp |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.8.8.8:53 | aaa.apiaaaeg.com | udp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 194.110.203.101:80 | 194.110.203.101 | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 20.189.173.7:443 | tcp | |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 8.8.8.8:53 | xv.yxzgamen.com | udp |
| N/A | 188.114.97.0:443 | xv.yxzgamen.com | tcp |
| N/A | 77.73.134.27:80 | 77.73.134.27 | tcp |
| N/A | 188.114.97.0:443 | xv.yxzgamen.com | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 190.117.75.91:80 | uaery.top | tcp |
| N/A | 195.158.3.162:80 | uaery.top | tcp |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 195.158.3.162:80 | uaery.top | tcp |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 94.130.190.48:80 | 94.130.190.48 | tcp |
| N/A | 8.8.8.8:53 | vatra.at | udp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 194.135.33.42:80 | 194.135.33.42 | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 94.130.190.48:80 | 94.130.190.48 | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 23.236.181.126:443 | 23.236.181.126 | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 37.34.248.24:80 | vatra.at | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 127.0.0.1:15585 | tcp | |
| N/A | 127.0.0.1:1312 | tcp |
Files
memory/4800-132-0x00000000032AD000-0x00000000032C3000-memory.dmp
memory/4800-133-0x0000000003090000-0x0000000003099000-memory.dmp
memory/4800-134-0x0000000000400000-0x0000000003013000-memory.dmp
memory/4800-135-0x0000000000400000-0x0000000003013000-memory.dmp
memory/2564-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B78D.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
C:\Users\Admin\AppData\Local\Temp\B78D.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/32-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BA2E.exe
| MD5 | f4809ee5283af108b27414b981a4e2b5 |
| SHA1 | a03e48306eb3428eb66b7eac083645c25d27a88f |
| SHA256 | b16423d6fac94c4fee017af609c76d2fc8a7d7ad375a8532d28b399bf9756baa |
| SHA512 | 0db0bef451e2c8251f9e14fe0ba08149f856307b9c905f811640a543d0a2c6a935fd68248e612035d6e676953bdfde7d186e066c1ef7ce41548ce377e3e8b145 |
C:\Users\Admin\AppData\Local\Temp\BA2E.exe
| MD5 | f4809ee5283af108b27414b981a4e2b5 |
| SHA1 | a03e48306eb3428eb66b7eac083645c25d27a88f |
| SHA256 | b16423d6fac94c4fee017af609c76d2fc8a7d7ad375a8532d28b399bf9756baa |
| SHA512 | 0db0bef451e2c8251f9e14fe0ba08149f856307b9c905f811640a543d0a2c6a935fd68248e612035d6e676953bdfde7d186e066c1ef7ce41548ce377e3e8b145 |
memory/2296-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BB58.exe
| MD5 | f4809ee5283af108b27414b981a4e2b5 |
| SHA1 | a03e48306eb3428eb66b7eac083645c25d27a88f |
| SHA256 | b16423d6fac94c4fee017af609c76d2fc8a7d7ad375a8532d28b399bf9756baa |
| SHA512 | 0db0bef451e2c8251f9e14fe0ba08149f856307b9c905f811640a543d0a2c6a935fd68248e612035d6e676953bdfde7d186e066c1ef7ce41548ce377e3e8b145 |
C:\Users\Admin\AppData\Local\Temp\BB58.exe
| MD5 | f4809ee5283af108b27414b981a4e2b5 |
| SHA1 | a03e48306eb3428eb66b7eac083645c25d27a88f |
| SHA256 | b16423d6fac94c4fee017af609c76d2fc8a7d7ad375a8532d28b399bf9756baa |
| SHA512 | 0db0bef451e2c8251f9e14fe0ba08149f856307b9c905f811640a543d0a2c6a935fd68248e612035d6e676953bdfde7d186e066c1ef7ce41548ce377e3e8b145 |
memory/3896-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CF1F.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\CF1F.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/2808-149-0x0000000000000000-mapping.dmp
memory/3896-148-0x0000000140000000-0x000000014061A000-memory.dmp
memory/2564-152-0x0000000004950000-0x00000000049E1000-memory.dmp
memory/2648-157-0x0000000000000000-mapping.dmp
memory/2808-159-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2564-156-0x0000000004A50000-0x0000000004B6B000-memory.dmp
memory/2808-155-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2808-151-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B78D.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
C:\Users\Admin\AppData\Local\Temp\D3B4.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
C:\Users\Admin\AppData\Local\Temp\D3B4.exe
| MD5 | ba2d41ce64789f113baa25ad6014d9ef |
| SHA1 | 2a613d52de7beddced943814a65f66d8e465fc58 |
| SHA256 | fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646 |
| SHA512 | 1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301 |
memory/2808-163-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2648-162-0x0000000140000000-0x000000014061A000-memory.dmp
memory/2296-168-0x0000000003190000-0x0000000003199000-memory.dmp
memory/2296-167-0x000000000304D000-0x0000000003062000-memory.dmp
memory/2296-169-0x0000000000400000-0x0000000003013000-memory.dmp
memory/32-170-0x00000000032FD000-0x0000000003312000-memory.dmp
memory/3672-171-0x0000000000000000-mapping.dmp
memory/32-172-0x0000000000400000-0x0000000003013000-memory.dmp
memory/1984-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E3A3.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\Temp\E3A3.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\641e7a09-d04b-4345-b2ca-b11503695e4c\B78D.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/3912-177-0x0000000000000000-mapping.dmp
memory/1984-180-0x0000000000E00000-0x0000000000E66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E569.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
C:\Users\Admin\AppData\Local\Temp\E569.exe
| MD5 | bfba4f7ae02850791fa1f1df25638ca4 |
| SHA1 | a348a0cc4bec6f63761c270d3bb8cbc250354115 |
| SHA256 | 598856375b780e9527998e05387b2ae938b3570fb68997708e35224ad78e31fe |
| SHA512 | 777025da268188cc747cadcf595e6de60fed787de1532e4d9ca8e263695ae56629ac9acc626df37eb6d859f05f71507df782693e493190a3f5b95e374efd1f29 |
memory/3172-181-0x0000000000000000-mapping.dmp
memory/2808-182-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
C:\Users\Admin\AppData\Local\Temp\B78D.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/4368-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EB37.exe
| MD5 | f8b927b1359fd25d1c97c0d1f2a8b479 |
| SHA1 | f44d3551ffc86aff5053312bbcc2e10f74ad88f3 |
| SHA256 | 3a9814b076cb6cfb18723b32fefca7b5465a6ace11e35b62a799b70812e29024 |
| SHA512 | c04d07b0d39f9e417d8022012f68b8fd0ee5699186cb0a7539b76ef687c062123f4b66bbbfb98593e9ac91c4835e9b599924c28ece44cc88eadefe37fd42d7bb |
C:\Users\Admin\AppData\Local\Temp\EB37.exe
| MD5 | f8b927b1359fd25d1c97c0d1f2a8b479 |
| SHA1 | f44d3551ffc86aff5053312bbcc2e10f74ad88f3 |
| SHA256 | 3a9814b076cb6cfb18723b32fefca7b5465a6ace11e35b62a799b70812e29024 |
| SHA512 | c04d07b0d39f9e417d8022012f68b8fd0ee5699186cb0a7539b76ef687c062123f4b66bbbfb98593e9ac91c4835e9b599924c28ece44cc88eadefe37fd42d7bb |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/2772-189-0x0000000000000000-mapping.dmp
memory/4916-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/3556-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ED3B.exe
| MD5 | f8b927b1359fd25d1c97c0d1f2a8b479 |
| SHA1 | f44d3551ffc86aff5053312bbcc2e10f74ad88f3 |
| SHA256 | 3a9814b076cb6cfb18723b32fefca7b5465a6ace11e35b62a799b70812e29024 |
| SHA512 | c04d07b0d39f9e417d8022012f68b8fd0ee5699186cb0a7539b76ef687c062123f4b66bbbfb98593e9ac91c4835e9b599924c28ece44cc88eadefe37fd42d7bb |
memory/396-195-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
C:\Users\Admin\AppData\Local\Temp\ED3B.exe
| MD5 | f8b927b1359fd25d1c97c0d1f2a8b479 |
| SHA1 | f44d3551ffc86aff5053312bbcc2e10f74ad88f3 |
| SHA256 | 3a9814b076cb6cfb18723b32fefca7b5465a6ace11e35b62a799b70812e29024 |
| SHA512 | c04d07b0d39f9e417d8022012f68b8fd0ee5699186cb0a7539b76ef687c062123f4b66bbbfb98593e9ac91c4835e9b599924c28ece44cc88eadefe37fd42d7bb |
memory/2296-199-0x0000000000400000-0x0000000003013000-memory.dmp
memory/4580-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/4044-204-0x0000000000000000-mapping.dmp
memory/380-203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/1900-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3003.exe
| MD5 | 0f1be169da6df849e2d5c8f3442472f8 |
| SHA1 | b4e98acb1c303528d8871a04e9da70e6dcd55393 |
| SHA256 | 228308e07974786e739d3a2d37f3e6088e393db436f18f5b592ca82e3b333fb1 |
| SHA512 | 850a720ba926d57cdc1a18e4a59fc507f447fca363b3c34ed62c5b35a9cada2fac29e558f57fa5e0e05f4e5ac043293285f7e2a7d57d4f21f42222af3092902d |
memory/3328-207-0x0000000000000000-mapping.dmp
memory/1960-209-0x0000000000000000-mapping.dmp
memory/4412-210-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/2972-215-0x0000000000000000-mapping.dmp
memory/224-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/4708-217-0x0000000000000000-mapping.dmp
memory/4708-221-0x0000000000A90000-0x0000000001230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | d8fdf3094adfa6cd96ad85cb3b1c0888 |
| SHA1 | e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef |
| SHA256 | 234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087 |
| SHA512 | a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94 |
C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe
| MD5 | bdb4e8663e6eb546a2bde8f8e3e9cdb4 |
| SHA1 | 3750742d25938f8cab8b98c3392f6cbdfd5b6a62 |
| SHA256 | 8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5 |
| SHA512 | 71e411938423ec77111b9e7fd896c6fd4b6e958634042bf45a2f97168da5ac7e10891d707af30b34461b937e45c9c71806989c9df10a30ab71de0050d9ca2a28 |
C:\Users\Admin\AppData\Local\Temp\1000006001\jon_file.exe
| MD5 | bdb4e8663e6eb546a2bde8f8e3e9cdb4 |
| SHA1 | 3750742d25938f8cab8b98c3392f6cbdfd5b6a62 |
| SHA256 | 8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5 |
| SHA512 | 71e411938423ec77111b9e7fd896c6fd4b6e958634042bf45a2f97168da5ac7e10891d707af30b34461b937e45c9c71806989c9df10a30ab71de0050d9ca2a28 |
memory/3172-224-0x00000000047E1000-0x0000000004872000-memory.dmp
memory/1468-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B78D.exe
| MD5 | 951d4939a57c618adb23a2706d71e310 |
| SHA1 | eaf91c3038cc9ae140b9dd8526877031c9ffab0e |
| SHA256 | 539952c06c63a7adf3ebe255db55d70a38b7f170d8e7b9e17dd787fd88010d0d |
| SHA512 | edb42167775dad5fbdffbdb38e3e3e38f7b85e32ab1fa70d96dc5228faa9162313abfd6b914bb4ef8fc38265fe91c858ccca5fe4140b8fb4a94ec1e5f08a72ea |
memory/1468-228-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1468-227-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build_2023-01-06_10-15_protected.exe
| MD5 | 8ddbffe44165d9aaa1278b9042b0d041 |
| SHA1 | a4a7d68b7bd88fff878df1f68791650024de8873 |
| SHA256 | 7422caf5591db9f4db9450fa7999a62be9cb9925449df1a1ea2a844d6d584af9 |
| SHA512 | 8d53534ce423db3f4e95b020ae8c4f45caf896c489906bd4d0ccb194a7419376b2b79a40159d6814e661e89ee0395e6725eefd81fd48d72ca9ca40e9c7e862c9 |
memory/2404-229-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\build_2023-01-06_10-15_protected.exe
| MD5 | 8ddbffe44165d9aaa1278b9042b0d041 |
| SHA1 | a4a7d68b7bd88fff878df1f68791650024de8873 |
| SHA256 | 7422caf5591db9f4db9450fa7999a62be9cb9925449df1a1ea2a844d6d584af9 |
| SHA512 | 8d53534ce423db3f4e95b020ae8c4f45caf896c489906bd4d0ccb194a7419376b2b79a40159d6814e661e89ee0395e6725eefd81fd48d72ca9ca40e9c7e862c9 |
memory/4704-233-0x0000000000000000-mapping.dmp
memory/4916-232-0x0000000007740000-0x0000000007CE4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
| MD5 | 70f3bc193dfa56b78f3e6e4f800f701f |
| SHA1 | 1e5598f2de49fed2e81f3dd8630c7346a2b89487 |
| SHA256 | 3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1 |
| SHA512 | 3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1 |
memory/4368-239-0x00000000033FD000-0x000000000342B000-memory.dmp
memory/4368-241-0x0000000003180000-0x00000000031CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu2B58.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
memory/1468-243-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4916-244-0x0000000007CF0000-0x0000000008308000-memory.dmp
memory/4368-248-0x00000000083B0000-0x00000000084BA000-memory.dmp
memory/4704-247-0x00000000030C1000-0x00000000030C3000-memory.dmp
memory/4368-250-0x0000000007730000-0x000000000776C000-memory.dmp
memory/4916-249-0x0000000007710000-0x0000000007722000-memory.dmp
memory/4604-251-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nsu2B58.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsu2B58.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
| MD5 | 70f3bc193dfa56b78f3e6e4f800f701f |
| SHA1 | 1e5598f2de49fed2e81f3dd8630c7346a2b89487 |
| SHA256 | 3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1 |
| SHA512 | 3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 411cd537dcecbf901759b8e6c1bdb076 |
| SHA1 | 655df9870867a1760ad1a2c967b330c61767437a |
| SHA256 | aa9e441c6cf813efd9ba76fe4ae52d884a5c7d222ed221903c42f09bc14eb7db |
| SHA512 | ea780f875c86f8694f67d236a0af066b952862356edb681375e6c387103a91ce085345359f8fe83dd630d310ee6b7637512e5868951c4c257daa411ab9c03e71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | f0f113ba8b4a90f482cdf03e3a6ea9bf |
| SHA1 | 894106831fb53d53d6aea464af531783f7cb1701 |
| SHA256 | fc396a9009b413ba6a86dccbfaa51e37e6a5d259c40c738894091fe2d8a638e1 |
| SHA512 | 9d462c1ba9f2ac2a7bec16d7cff7835e62d4b7c4b94b60ec94633f6a51e912c7cb99705b6d4c8b646e0446461d9ee00acf701d167902e1e07581853ce562cc91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 7c56401cb6bd1ae402e06f0fe35f81c4 |
| SHA1 | b82bbb9fa39266796cafcd308ef4300fc92e3399 |
| SHA256 | 0c58c7bc18d38a3096da6f3575f1c6f8d79b69382d8e89bb5fca917d3cdb7f65 |
| SHA512 | 2ea607c2dc04c8ef34ecb4c4bd297e0f0882b179303565863d1745172322133b78186fa04334e82c135e25fd717719ceec917f49682a4eac37034ea87bb2b6f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | d27537fea03fef3a71ecf7e9ad476277 |
| SHA1 | 868f83ff176854d6d5faf763bcb7deff40cd0fec |
| SHA256 | a54d9060886eb3e23248e0dbd9706962221b7202c825528f70f2bab27495a780 |
| SHA512 | 7a7e9d65dfa5833d63cf9bfd7b6892fe9cbc90938bacf6407cee9fd460a1d91ae0fd85b9f4cd374c068288ec081ce9c4659f157c889f9fdc3b67889eb90a5f60 |
memory/4368-252-0x0000000000400000-0x000000000302C000-memory.dmp
memory/4916-253-0x000000000333D000-0x000000000336B000-memory.dmp
memory/4916-254-0x0000000000400000-0x000000000302C000-memory.dmp
memory/640-255-0x0000000000000000-mapping.dmp
memory/3428-256-0x0000000000000000-mapping.dmp
memory/4292-257-0x0000000000000000-mapping.dmp
memory/1984-258-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/3600-261-0x0000000000000000-mapping.dmp
memory/4132-264-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4916-265-0x0000000008710000-0x0000000008776000-memory.dmp
memory/4368-266-0x0000000008DB0000-0x0000000008E42000-memory.dmp
memory/2404-267-0x0000000002FA6000-0x0000000002FD3000-memory.dmp
memory/2404-268-0x0000000002DB0000-0x0000000002DFC000-memory.dmp
memory/2404-269-0x0000000000400000-0x0000000002C57000-memory.dmp
memory/4356-270-0x0000000000000000-mapping.dmp
memory/4356-271-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4356-273-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\7ecf8551-7511-4e3c-80a8-42ec77825432\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/4356-274-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1984-275-0x0000000000708000-0x0000000000736000-memory.dmp
memory/1984-276-0x0000000002090000-0x00000000020DC000-memory.dmp
memory/4916-277-0x0000000009100000-0x00000000092C2000-memory.dmp
memory/4916-278-0x00000000092E0000-0x000000000980C000-memory.dmp
memory/4368-279-0x00000000033FD000-0x000000000342B000-memory.dmp
memory/1468-280-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4916-281-0x000000000333D000-0x000000000336B000-memory.dmp
memory/4356-282-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4916-283-0x0000000000400000-0x000000000302C000-memory.dmp
memory/4368-284-0x0000000000400000-0x000000000302C000-memory.dmp
memory/2404-285-0x0000000002FA6000-0x0000000002FD3000-memory.dmp
memory/2404-286-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1508-287-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AEC7.exe
| MD5 | 381e3092856f036dfe6e773b3086a920 |
| SHA1 | c88625006f7efc16e9fa70b66f9cf1a275210b8f |
| SHA256 | 88a881fea5323fa6b6dc147c64e8efc8bd2ae4379541d2cdd6f38d2f3b0a6a99 |
| SHA512 | 692a17b68a93988ebd53947287bec410adba274fbd0df74c5c32af47ec5ec1d09e8b1fe45a4a01d908565b58152b313f3ca692f20ea5487c4a847e2c01c877b0 |
C:\Users\Admin\AppData\Local\Temp\AEC7.exe
| MD5 | 381e3092856f036dfe6e773b3086a920 |
| SHA1 | c88625006f7efc16e9fa70b66f9cf1a275210b8f |
| SHA256 | 88a881fea5323fa6b6dc147c64e8efc8bd2ae4379541d2cdd6f38d2f3b0a6a99 |
| SHA512 | 692a17b68a93988ebd53947287bec410adba274fbd0df74c5c32af47ec5ec1d09e8b1fe45a4a01d908565b58152b313f3ca692f20ea5487c4a847e2c01c877b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
| MD5 | 5cea683e03cc6cf117180a38205776d8 |
| SHA1 | 8a9544ba79bec18e77b415ac868a999602f97638 |
| SHA256 | 6e7dfd3aac8836f62fefde525f5c61c5704b914fc77df85cba9efa8886cefd6c |
| SHA512 | 1afad217fe7713ef7ee3cc1e33c5ef2626384ccaa73d745ad09d120ca1880f313d0f73cd14df284907bd1f2394b64600a22a394b694b4816f58af75abfb57a21 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
| MD5 | b4d425051d3a7e6270a6174584582978 |
| SHA1 | baf62f0011e2ff1b2e1235efb941868038d949ba |
| SHA256 | b366b5e73afd7a355c1c3170dc59d32ade31955916a344ef6886bee20e00fdef |
| SHA512 | c7e10ceddd947bfe7ae604808bb60e2bd766d49208599027ab38f22a4e1fdd7d918b84b7f5dae871053967c2c08c78529510a2dec6d37e90526c3cde691f947e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 0feddf7ad4399fe0fb73f1776eaf02aa |
| SHA1 | bebf64df114e8418a9fbd926f207b57deda05605 |
| SHA256 | ca56b0942aa00af4e8aff089f36d68c98937de7ea4d5d3c9d4ec368441faae8f |
| SHA512 | 39e7b8a63e94be1a563b4e593117afafe2cd7a588e94357f557687831c831fb8a06fb2169c7741daed2d6448bda067ea3dc2f9219928b4fccd11e152b8d09f46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 60f2d88e220692b7275947d8dda4e77e |
| SHA1 | 38677d8659a0948bcd09cf1a2a2f2056118d94b7 |
| SHA256 | 714510677f46d9d27f039fed1ad4a822b8ef5e27dad48565531d166c650846ca |
| SHA512 | 3d6840b90b32d7fd16f556aef39f601887257d7a8b7fc40c15b929c7fe5dd6f355b41879cb38dde26aa0c63d4856386609417278d7c1e3f9bd028083e793697e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | b9bb1703647881624933ccf903d163a3 |
| SHA1 | 2f283d29f94f1468fb620169b7c1ab2a717e3a5f |
| SHA256 | 3a3a140ebfd7e7feee08fba16337fd9ed49b7ee17ff1f430f96751a8b456e4f3 |
| SHA512 | 5ed255cc2fe30e29832239b3bce12937861904231e98b246623ff421e02be25b48d3573bdab7bd01f5af1ef47833473a02dfdff0c3e085380d7b893461b67092 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 71fca65be4165bb847bce65553d6cdb4 |
| SHA1 | 2e65834d983f94aa873ce6395c5b28dae3185770 |
| SHA256 | 97cefe014aab1214fcdd955cc7e82470450780da4cbb8927f2735a678b0099bb |
| SHA512 | 3324160e328b498fbd0382359d02e9eb46057a18b0067c4a942e8992c8280cccf9dc464885e52a207f375bd2c8018e67cdd143e67dc8a805b38fb26e2bc554ab |
memory/4356-296-0x0000000050960000-0x00000000509F2000-memory.dmp
memory/4388-315-0x0000000000000000-mapping.dmp
memory/1508-316-0x0000000004D34000-0x0000000004E08000-memory.dmp
memory/1508-317-0x0000000004F30000-0x0000000005045000-memory.dmp
memory/1508-318-0x0000000000400000-0x00000000030D2000-memory.dmp
memory/3652-319-0x0000000000000000-mapping.dmp
memory/4356-320-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4644-321-0x0000000000000000-mapping.dmp
memory/4296-322-0x0000000000000000-mapping.dmp
memory/4656-323-0x0000000000000000-mapping.dmp
memory/4388-324-0x0000000006080000-0x0000000006BC1000-memory.dmp
memory/4388-325-0x0000000006080000-0x0000000006BC1000-memory.dmp
memory/4388-326-0x0000000004280000-0x00000000043C0000-memory.dmp
memory/4388-327-0x0000000004280000-0x00000000043C0000-memory.dmp
memory/4388-328-0x0000000004280000-0x00000000043C0000-memory.dmp
memory/4388-329-0x0000000004280000-0x00000000043C0000-memory.dmp
memory/4388-330-0x0000000004280000-0x00000000043C0000-memory.dmp
memory/4388-331-0x0000000004280000-0x00000000043C0000-memory.dmp
memory/2864-332-0x00007FF7916E6890-mapping.dmp
memory/2864-333-0x00000140DCA50000-0x00000140DCB90000-memory.dmp
memory/2864-334-0x00000140DCA50000-0x00000140DCB90000-memory.dmp
memory/2864-335-0x0000000000CF0000-0x0000000000F91000-memory.dmp
memory/2864-336-0x00000140DAFF0000-0x00000140DB2A2000-memory.dmp
memory/3956-337-0x0000000000000000-mapping.dmp
memory/4388-338-0x0000000006080000-0x0000000006BC1000-memory.dmp