Analysis Overview
SHA256
02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167
Threat Level: Known bad
The file 02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167 was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Vidar
Aurora
Detected Djvu ransomware
Detects Smokeloader packer
DcRat
SmokeLoader
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-09 13:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-09 13:07
Reported
2023-01-09 13:10
Platform
win10v2004-20220812-en
Max time kernel
185s
Max time network
186s
Command Line
Signatures
Aurora
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\26201f22-4a29-4f15-a08e-61be5a913670\\4FA9.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\4FA9.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4FA9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\70DE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4FA9.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\26201f22-4a29-4f15-a08e-61be5a913670\\4FA9.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\4FA9.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1836 set thread context of 4124 | N/A | C:\Users\Admin\AppData\Local\Temp\4FA9.exe | C:\Users\Admin\AppData\Local\Temp\4FA9.exe |
| PID 5048 set thread context of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\4FA9.exe | C:\Users\Admin\AppData\Local\Temp\4FA9.exe |
| PID 528 set thread context of 1832 | N/A | C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe | C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe |
| PID 3932 set thread context of 2088 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\E6AC.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\vccdfce |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4E80.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4E80.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fvcdfce | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4E80.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fvcdfce | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fvcdfce | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4E80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fvcdfce | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F7A3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F9B7.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167.exe
"C:\Users\Admin\AppData\Local\Temp\02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167.exe"
C:\Users\Admin\AppData\Local\Temp\F7A3.exe
C:\Users\Admin\AppData\Local\Temp\F7A3.exe
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
C:\Users\Admin\AppData\Local\Temp\4E80.exe
C:\Users\Admin\AppData\Local\Temp\4E80.exe
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\26201f22-4a29-4f15-a08e-61be5a913670" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
"C:\Users\Admin\AppData\Local\Temp\4FA9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\70DE.exe
C:\Users\Admin\AppData\Local\Temp\70DE.exe
C:\Users\Admin\AppData\Roaming\pzeloxwzcf.exe
"C:\Users\Admin\AppData\Roaming\pzeloxwzcf.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
"C:\Users\Admin\AppData\Local\Temp\4FA9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe
"C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe"
C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build3.exe
"C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe
"C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe"
C:\Users\Admin\AppData\Local\Temp\E6AC.exe
C:\Users\Admin\AppData\Local\Temp\E6AC.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 380 -ip 380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 560
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15605
C:\Users\Admin\AppData\Roaming\fvcdfce
C:\Users\Admin\AppData\Roaming\fvcdfce
C:\Users\Admin\AppData\Roaming\vccdfce
C:\Users\Admin\AppData\Roaming\vccdfce
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4808 -ip 4808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 340
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3950055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | potunulit.org | udp |
| N/A | 188.114.96.0:80 | potunulit.org | tcp |
| N/A | 194.110.203.101:80 | 194.110.203.101 | tcp |
| N/A | 8.8.8.8:53 | polyzi.com | udp |
| N/A | 95.217.49.230:443 | polyzi.com | tcp |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 104.46.162.224:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 82.115.223.77:8081 | tcp | |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 190.140.74.43:80 | spaceris.com | tcp |
| N/A | 190.219.54.242:80 | uaery.top | tcp |
| N/A | 190.140.74.43:80 | spaceris.com | tcp |
| N/A | 8.8.8.8:53 | vatra.at | udp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 49.12.113.110:80 | 49.12.113.110 | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 146.19.173.115:80 | 146.19.173.115 | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 23.236.181.126:443 | 23.236.181.126 | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 187.156.85.141:80 | vatra.at | tcp |
| N/A | 127.0.0.1:15605 | tcp | |
| N/A | 127.0.0.1:1312 | tcp |
Files
memory/1000-132-0x00000000031CD000-0x00000000031E3000-memory.dmp
memory/1000-133-0x0000000003170000-0x0000000003179000-memory.dmp
memory/1000-134-0x0000000000400000-0x0000000003013000-memory.dmp
memory/1000-135-0x0000000000400000-0x0000000003013000-memory.dmp
memory/4636-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F7A3.exe
| MD5 | 004db2ed51061ebc0cd93962997d76e0 |
| SHA1 | 13ff4bf90af64bf75cb186bc31cc70923736d861 |
| SHA256 | 6fa865feb43e8ea6cb85a5694db902c2f278fb7b47e52224490ae0c40531712a |
| SHA512 | 1f3bac76b3fc8314cbf217f8a3fa71976d02488f467b99f573f13e5dce028bae127172a60b20fabb123c12f8588d9f06b792cd56780cbb1a0c455912f264ca2e |
C:\Users\Admin\AppData\Local\Temp\F7A3.exe
| MD5 | 004db2ed51061ebc0cd93962997d76e0 |
| SHA1 | 13ff4bf90af64bf75cb186bc31cc70923736d861 |
| SHA256 | 6fa865feb43e8ea6cb85a5694db902c2f278fb7b47e52224490ae0c40531712a |
| SHA512 | 1f3bac76b3fc8314cbf217f8a3fa71976d02488f467b99f573f13e5dce028bae127172a60b20fabb123c12f8588d9f06b792cd56780cbb1a0c455912f264ca2e |
memory/3940-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
| MD5 | a54b11ad76c698e14478d64391430be7 |
| SHA1 | 4aea31ed39f0942b345bed0b6813562d72b6b792 |
| SHA256 | ade40de269f1106cc15af503873ca91733dc4e4173bc7af3448de19435e51fee |
| SHA512 | 5376f01fbfbcb7bb02f4e61c17473bb8c603b00a270a3a48cc0bdb13cf992b33b6d3a5a09f4fb9fb937e25ff40d45b1264b803698298181efcf93e9278b32e16 |
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
| MD5 | a54b11ad76c698e14478d64391430be7 |
| SHA1 | 4aea31ed39f0942b345bed0b6813562d72b6b792 |
| SHA256 | ade40de269f1106cc15af503873ca91733dc4e4173bc7af3448de19435e51fee |
| SHA512 | 5376f01fbfbcb7bb02f4e61c17473bb8c603b00a270a3a48cc0bdb13cf992b33b6d3a5a09f4fb9fb937e25ff40d45b1264b803698298181efcf93e9278b32e16 |
memory/4636-142-0x0000000004D60000-0x0000000005304000-memory.dmp
memory/4636-143-0x000000000064E000-0x000000000067C000-memory.dmp
memory/4636-144-0x00000000005C0000-0x000000000060B000-memory.dmp
memory/4636-145-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4636-146-0x0000000005310000-0x0000000005928000-memory.dmp
memory/4636-147-0x0000000005930000-0x0000000005A3A000-memory.dmp
memory/4636-148-0x0000000004C90000-0x0000000004CA2000-memory.dmp
memory/3940-149-0x0000000008430000-0x000000000846C000-memory.dmp
memory/3940-150-0x00000000031CD000-0x00000000031FB000-memory.dmp
memory/3940-151-0x0000000000400000-0x0000000003034000-memory.dmp
memory/3940-152-0x0000000008720000-0x0000000008786000-memory.dmp
memory/4636-153-0x0000000006340000-0x00000000063D2000-memory.dmp
memory/4636-154-0x0000000006440000-0x0000000006602000-memory.dmp
memory/4636-155-0x0000000006610000-0x0000000006B3C000-memory.dmp
memory/4636-156-0x000000000064E000-0x000000000067C000-memory.dmp
memory/3940-157-0x00000000031CD000-0x00000000031FB000-memory.dmp
memory/4636-158-0x000000000064E000-0x000000000067C000-memory.dmp
memory/4636-159-0x0000000000400000-0x0000000000470000-memory.dmp
memory/3940-160-0x0000000000400000-0x0000000003034000-memory.dmp
memory/2968-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4E80.exe
| MD5 | 7ed687ac3ea2d88751c61ee4242d2cb1 |
| SHA1 | f4540c03affd6da03d56ebde96b3405877c4339d |
| SHA256 | 4c19c053186dbe91f79872857581e6d7ef3bf1d383b42054e6ede398557e8007 |
| SHA512 | cfa89214d7697471a57ea3aef851250ec3bed42f3daef40d7c976c5ea407a4a5e3ee1d5b22c3e0dc060e02e3fc321f265cca10b1efa15fe4348f0818e6fdb1c6 |
C:\Users\Admin\AppData\Local\Temp\4E80.exe
| MD5 | 7ed687ac3ea2d88751c61ee4242d2cb1 |
| SHA1 | f4540c03affd6da03d56ebde96b3405877c4339d |
| SHA256 | 4c19c053186dbe91f79872857581e6d7ef3bf1d383b42054e6ede398557e8007 |
| SHA512 | cfa89214d7697471a57ea3aef851250ec3bed42f3daef40d7c976c5ea407a4a5e3ee1d5b22c3e0dc060e02e3fc321f265cca10b1efa15fe4348f0818e6fdb1c6 |
memory/1836-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/4124-167-0x0000000000000000-mapping.dmp
memory/4124-168-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/1836-172-0x0000000004CE4000-0x0000000004D75000-memory.dmp
memory/4124-171-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2968-174-0x00000000031AD000-0x00000000031C2000-memory.dmp
memory/2968-175-0x00000000030A0000-0x00000000030A9000-memory.dmp
memory/1836-173-0x0000000004E90000-0x0000000004FAB000-memory.dmp
memory/4124-170-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2968-176-0x0000000000400000-0x000000000301B000-memory.dmp
memory/4124-177-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3448-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\26201f22-4a29-4f15-a08e-61be5a913670\4FA9.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/5048-180-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/4124-181-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3892-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\70DE.exe
| MD5 | 759c12b796e6748a79b1317056194a6d |
| SHA1 | 2931c81c3d03d8c2bf7e47cda59c46059c07bab8 |
| SHA256 | d9ca3bd415f28b6e760fc9e501f65c2293d59666a9a9445a56d054f3e0c35b93 |
| SHA512 | e4940185b7923d93060c33f0fe220216c97bbdf2b1bc62ab9965882f82a8ec7d262fc66fa6f96d6d5cf8790cbf3aa4c7be652fd713b415ff7ff966d8a0411cab |
C:\Users\Admin\AppData\Local\Temp\70DE.exe
| MD5 | 759c12b796e6748a79b1317056194a6d |
| SHA1 | 2931c81c3d03d8c2bf7e47cda59c46059c07bab8 |
| SHA256 | d9ca3bd415f28b6e760fc9e501f65c2293d59666a9a9445a56d054f3e0c35b93 |
| SHA512 | e4940185b7923d93060c33f0fe220216c97bbdf2b1bc62ab9965882f82a8ec7d262fc66fa6f96d6d5cf8790cbf3aa4c7be652fd713b415ff7ff966d8a0411cab |
memory/3892-186-0x0000000000C20000-0x0000000001C0A000-memory.dmp
memory/3892-187-0x00007FFDF4040000-0x00007FFDF4B01000-memory.dmp
memory/2968-188-0x0000000000400000-0x000000000301B000-memory.dmp
memory/4328-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\pzeloxwzcf.exe
| MD5 | a571e4d8f9c450f2c256e3ca4ed01f59 |
| SHA1 | acae29d7d8ca985b369525b4defdca4962592b4e |
| SHA256 | 8d7d5abf2d92e4951e29b59140f182c582c335d8957435bea2f539b7ad7a3b0e |
| SHA512 | 068807a6b03b6833e6531e04b4795b95e0c116e494af942bbd88c23abb9c0a22913120aa10ce05d1d81413e474cb64d64512d78a3a2878dacb2d943205cd10b0 |
C:\Users\Admin\AppData\Roaming\pzeloxwzcf.exe
| MD5 | a571e4d8f9c450f2c256e3ca4ed01f59 |
| SHA1 | acae29d7d8ca985b369525b4defdca4962592b4e |
| SHA256 | 8d7d5abf2d92e4951e29b59140f182c582c335d8957435bea2f539b7ad7a3b0e |
| SHA512 | 068807a6b03b6833e6531e04b4795b95e0c116e494af942bbd88c23abb9c0a22913120aa10ce05d1d81413e474cb64d64512d78a3a2878dacb2d943205cd10b0 |
memory/3892-192-0x00007FFDF4040000-0x00007FFDF4B01000-memory.dmp
memory/2644-193-0x0000000000000000-mapping.dmp
memory/2740-194-0x0000000000000000-mapping.dmp
memory/1000-195-0x0000000000000000-mapping.dmp
memory/5008-196-0x0000000000000000-mapping.dmp
memory/360-197-0x0000000000000000-mapping.dmp
memory/2672-198-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4FA9.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/2672-202-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5048-201-0x00000000031F1000-0x0000000003282000-memory.dmp
memory/2672-203-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | f3eabdf51a7e8490f1616c91d549d4f2 |
| SHA1 | 34898036057c7b401defc4a9259ca12dc9448b0e |
| SHA256 | 3b4d699a5d084e28f873dd1d05971e71c51ab18f4455196c3e8b07772b12f17f |
| SHA512 | 7011ba5f1eeea972786129874dc2cba0fd4ee0060ba2634d236bafb3b059b65019ea6ff49b9a81de15240f6998675753e4814a9dc356e3e577b28a104ebf74a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | deb5907196e6e5e0e915c276f65a6924 |
| SHA1 | 62802115ee04a17e66297fbfd5ab8d933040ffdb |
| SHA256 | 48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1 |
| SHA512 | 4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 98b326eccd82863b402ba313dfc17c0e |
| SHA1 | 46d23fe2d37a76de45a52de941d69f7284a670eb |
| SHA256 | c8b5fb14b3fcfdcf5ce1490a3ba8b97c84ed1f41de2c826d9fd78c0fa4ab7ec1 |
| SHA512 | 7955edc6a11cc28b052abad28c357d618b499c58073c83806e55f593adf8b31228f8e089e4e12677dabed364a61cce3bfe45265a9ce0f96f3f8d2333db6746c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 61a9f01083346a0ee40dc68983932b14 |
| SHA1 | 85737a00e510acc709a5ea03d04a666bf41eb912 |
| SHA256 | db745e7939f305e69baa8e6fda50687f545b5b9af3cffbd290f1223d7956c1e7 |
| SHA512 | 80edf82ede77a5657e92ca9c6ec45fe28118f1f0372d33e377185f7043580ee136927922556795552b41b9bd03aaef9a0273758af375b56ad4470aa23ac88349 |
memory/2672-208-0x0000000000400000-0x0000000000537000-memory.dmp
memory/528-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/3052-212-0x0000000000000000-mapping.dmp
memory/3560-215-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1832-216-0x0000000000000000-mapping.dmp
memory/1832-217-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\67619b30-5163-460d-83f1-f547263206bb\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/528-220-0x00000000006E8000-0x0000000000715000-memory.dmp
memory/1832-219-0x0000000000400000-0x0000000000460000-memory.dmp
memory/528-222-0x0000000002070000-0x00000000020BC000-memory.dmp
memory/1832-221-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1832-223-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2672-224-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1832-225-0x0000000050AB0000-0x0000000050B42000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/380-246-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E6AC.exe
| MD5 | e7f1a070a914352c8e80242c1618732b |
| SHA1 | 669a862cdcad14ae1258c997f62f124c8fb1048f |
| SHA256 | 0749948b3bf98c2c5bc03060634d215542f87dab8a92677f1885cf0b9ea36f39 |
| SHA512 | 18fbf494f375a2285f85774de8de75c2d89582e06b94c2a56266676a24e4b19c9a2e51afd0e039f01a48b142cfbe4661aba2b57e706d6f1cb527ac4b7d6d3faf |
C:\Users\Admin\AppData\Local\Temp\E6AC.exe
| MD5 | e7f1a070a914352c8e80242c1618732b |
| SHA1 | 669a862cdcad14ae1258c997f62f124c8fb1048f |
| SHA256 | 0749948b3bf98c2c5bc03060634d215542f87dab8a92677f1885cf0b9ea36f39 |
| SHA512 | 18fbf494f375a2285f85774de8de75c2d89582e06b94c2a56266676a24e4b19c9a2e51afd0e039f01a48b142cfbe4661aba2b57e706d6f1cb527ac4b7d6d3faf |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/3760-251-0x0000000000000000-mapping.dmp
memory/1832-252-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3932-253-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp
| MD5 | 9dd70d24b2657a9254b9fd536a4d06d5 |
| SHA1 | 348a1d210d7c4daef8ecdb692eadf3975971e8ee |
| SHA256 | d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd |
| SHA512 | dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6 |
C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp
| MD5 | 9dd70d24b2657a9254b9fd536a4d06d5 |
| SHA1 | 348a1d210d7c4daef8ecdb692eadf3975971e8ee |
| SHA256 | d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd |
| SHA512 | dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6 |
memory/4896-256-0x0000000000000000-mapping.dmp
memory/1832-257-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3824-258-0x0000000000000000-mapping.dmp
memory/380-259-0x000000000227D000-0x0000000002351000-memory.dmp
memory/380-260-0x0000000002360000-0x0000000002475000-memory.dmp
memory/380-261-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3932-262-0x0000000005D90000-0x00000000068D1000-memory.dmp
memory/3932-263-0x0000000005D90000-0x00000000068D1000-memory.dmp
memory/3932-264-0x0000000004050000-0x0000000004190000-memory.dmp
memory/3932-265-0x0000000004050000-0x0000000004190000-memory.dmp
memory/3932-266-0x0000000004050000-0x0000000004190000-memory.dmp
memory/3932-267-0x0000000004050000-0x0000000004190000-memory.dmp
memory/3932-268-0x0000000004050000-0x0000000004190000-memory.dmp
memory/3932-269-0x0000000004050000-0x0000000004190000-memory.dmp
memory/2088-270-0x00007FF7167E6890-mapping.dmp
memory/2088-271-0x000001CC53140000-0x000001CC53280000-memory.dmp
memory/2088-272-0x000001CC53140000-0x000001CC53280000-memory.dmp
memory/2088-274-0x00000000003A0000-0x0000000000641000-memory.dmp
memory/3932-273-0x00000000040C9000-0x00000000040CB000-memory.dmp
memory/2088-275-0x000001CC516E0000-0x000001CC51992000-memory.dmp
memory/3932-276-0x0000000005D90000-0x00000000068D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\fvcdfce
| MD5 | 7ed687ac3ea2d88751c61ee4242d2cb1 |
| SHA1 | f4540c03affd6da03d56ebde96b3405877c4339d |
| SHA256 | 4c19c053186dbe91f79872857581e6d7ef3bf1d383b42054e6ede398557e8007 |
| SHA512 | cfa89214d7697471a57ea3aef851250ec3bed42f3daef40d7c976c5ea407a4a5e3ee1d5b22c3e0dc060e02e3fc321f265cca10b1efa15fe4348f0818e6fdb1c6 |
C:\Users\Admin\AppData\Roaming\fvcdfce
| MD5 | 7ed687ac3ea2d88751c61ee4242d2cb1 |
| SHA1 | f4540c03affd6da03d56ebde96b3405877c4339d |
| SHA256 | 4c19c053186dbe91f79872857581e6d7ef3bf1d383b42054e6ede398557e8007 |
| SHA512 | cfa89214d7697471a57ea3aef851250ec3bed42f3daef40d7c976c5ea407a4a5e3ee1d5b22c3e0dc060e02e3fc321f265cca10b1efa15fe4348f0818e6fdb1c6 |
C:\Users\Admin\AppData\Roaming\vccdfce
| MD5 | 578e295f5604cb598c57b39f826b7d02 |
| SHA1 | b1b12ecb4e1c6a114f467ae022bc2111eec74643 |
| SHA256 | 02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167 |
| SHA512 | 4c99f66c0b40e63085753459146f78a97c870ccc4b40fddd54badbe9e4baf2356f76b6428313e9977e1722f6f7e480ed9e9cc65b6f544a84ccb202a9f3bf4303 |
C:\Users\Admin\AppData\Roaming\vccdfce
| MD5 | 578e295f5604cb598c57b39f826b7d02 |
| SHA1 | b1b12ecb4e1c6a114f467ae022bc2111eec74643 |
| SHA256 | 02796d9dd217ef5fb43d089ba45b3bbe97a65f51e14661a777bdd0e459c30167 |
| SHA512 | 4c99f66c0b40e63085753459146f78a97c870ccc4b40fddd54badbe9e4baf2356f76b6428313e9977e1722f6f7e480ed9e9cc65b6f544a84ccb202a9f3bf4303 |
memory/4316-281-0x0000000000000000-mapping.dmp
memory/3248-282-0x00000000030FD000-0x0000000003113000-memory.dmp
memory/3248-283-0x0000000000400000-0x000000000301B000-memory.dmp
memory/4808-284-0x000000000331D000-0x0000000003333000-memory.dmp
memory/4808-285-0x0000000000400000-0x0000000003013000-memory.dmp
memory/3248-286-0x0000000000400000-0x000000000301B000-memory.dmp