Analysis Overview
SHA256
aa53cc35aae4abbbac84790b7ff429f2e33ca4385542853c8b218c10c0d2f70a
Threat Level: Known bad
The file 9435cc1769cbcb2c65acd4a41facc20e.exe was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
DcRat
SmokeLoader
Detects Smokeloader packer
Vidar
Aurora
Djvu Ransomware
Executes dropped EXE
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Modifies file permissions
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Checks processor information in registry
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-09 16:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-09 16:11
Reported
2023-01-09 16:13
Platform
win7-20220812-en
Max time kernel
150s
Max time network
46s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe
"C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe"
Network
Files
memory/1664-54-0x0000000075981000-0x0000000075983000-memory.dmp
memory/1664-56-0x0000000000230000-0x0000000000239000-memory.dmp
memory/1664-55-0x000000000056D000-0x0000000000583000-memory.dmp
memory/1664-57-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1664-58-0x0000000000400000-0x0000000000457000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-09 16:11
Reported
2023-01-09 16:13
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Aurora
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d0e99dbe-b45e-4620-8cd2-ab646525a702\\C981.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\C981.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\C981.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\C981.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E6FD.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d0e99dbe-b45e-4620-8cd2-ab646525a702\\C981.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\C981.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1340 set thread context of 4236 | N/A | C:\Users\Admin\AppData\Local\Temp\C981.exe | C:\Users\Admin\AppData\Local\Temp\C981.exe |
| PID 4516 set thread context of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\C981.exe | C:\Users\Admin\AppData\Local\Temp\C981.exe |
| PID 5072 set thread context of 1060 | N/A | C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe | C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\EC0F.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\C4EB.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\E95F.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\C7BB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\C7BB.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\F018.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\F018.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\C7BB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\F018.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C7BB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F018.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C4EB.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe
"C:\Users\Admin\AppData\Local\Temp\9435cc1769cbcb2c65acd4a41facc20e.exe"
C:\Users\Admin\AppData\Local\Temp\C4EB.exe
C:\Users\Admin\AppData\Local\Temp\C4EB.exe
C:\Users\Admin\AppData\Local\Temp\C7BB.exe
C:\Users\Admin\AppData\Local\Temp\C7BB.exe
C:\Users\Admin\AppData\Local\Temp\C981.exe
C:\Users\Admin\AppData\Local\Temp\C981.exe
C:\Users\Admin\AppData\Local\Temp\E6FD.exe
C:\Users\Admin\AppData\Local\Temp\E6FD.exe
C:\Users\Admin\AppData\Local\Temp\E95F.exe
C:\Users\Admin\AppData\Local\Temp\E95F.exe
C:\Users\Admin\AppData\Local\Temp\EC0F.exe
C:\Users\Admin\AppData\Local\Temp\EC0F.exe
C:\Users\Admin\AppData\Local\Temp\F018.exe
C:\Users\Admin\AppData\Local\Temp\F018.exe
C:\Users\Admin\AppData\Local\Temp\C981.exe
C:\Users\Admin\AppData\Local\Temp\C981.exe
C:\Users\Admin\AppData\Roaming\bkbnbqbtqbre.exe
"C:\Users\Admin\AppData\Roaming\bkbnbqbtqbre.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d0e99dbe-b45e-4620-8cd2-ab646525a702" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3892 -ip 3892
C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 344
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\C981.exe
"C:\Users\Admin\AppData\Local\Temp\C981.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2456 -ip 2456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 852
C:\Users\Admin\AppData\Local\Temp\C981.exe
"C:\Users\Admin\AppData\Local\Temp\C981.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3616 -ip 3616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1416
C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe
"C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe"
C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build3.exe
"C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe
"C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe"
C:\Users\Admin\AppData\Local\Temp\795D.exe
C:\Users\Admin\AppData\Local\Temp\795D.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | potunulit.org | udp |
| N/A | 188.114.96.1:80 | potunulit.org | tcp |
| N/A | 194.110.203.101:80 | 194.110.203.101 | tcp |
| N/A | 8.8.8.8:53 | polyzi.com | udp |
| N/A | 95.217.49.230:443 | polyzi.com | tcp |
| N/A | 185.106.94.35:80 | 185.106.94.35 | tcp |
| N/A | 13.89.179.10:443 | tcp | |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 82.115.223.77:8081 | tcp | |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 91.215.85.155:32796 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 185.95.186.58:80 | uaery.top | tcp |
| N/A | 195.158.3.162:80 | spaceris.com | tcp |
| N/A | 195.158.3.162:80 | spaceris.com | tcp |
| N/A | 8.8.8.8:53 | vatra.at | udp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 146.19.173.115:80 | tcp | |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 5.75.203.81:80 | 5.75.203.81 | tcp |
| N/A | 8.8.8.8:53 | c3g6gx853u6j.xyz | udp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 8.8.8.8:53 | transfer.sh | udp |
| N/A | 144.76.136.153:443 | transfer.sh | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 8.8.8.8:53 | github.com | udp |
| N/A | 140.82.113.3:443 | github.com | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
| N/A | 211.119.84.112:80 | vatra.at | tcp |
Files
memory/1948-132-0x00000000006DE000-0x00000000006F4000-memory.dmp
memory/1948-133-0x00000000006B0000-0x00000000006B9000-memory.dmp
memory/1948-134-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1948-135-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2456-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C4EB.exe
| MD5 | 8a99de00a0c5c289f043fa9b31b293a8 |
| SHA1 | c5749ec538f5f1341ac61dac89f10c3b9a7d356e |
| SHA256 | 50699bf9784cab5ae73b37c7b213865f42cf2c936c87f0080ed5b882f7445203 |
| SHA512 | 1ca86894c9fab26d86ec3cbd8f83b15aaadc267e0627b9d989d99963c6d1065ad06c9aeec989db5929ef3da118a1cc526ed02f18773c64caeea97d762dfe4a75 |
C:\Users\Admin\AppData\Local\Temp\C4EB.exe
| MD5 | 8a99de00a0c5c289f043fa9b31b293a8 |
| SHA1 | c5749ec538f5f1341ac61dac89f10c3b9a7d356e |
| SHA256 | 50699bf9784cab5ae73b37c7b213865f42cf2c936c87f0080ed5b882f7445203 |
| SHA512 | 1ca86894c9fab26d86ec3cbd8f83b15aaadc267e0627b9d989d99963c6d1065ad06c9aeec989db5929ef3da118a1cc526ed02f18773c64caeea97d762dfe4a75 |
memory/3264-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C7BB.exe
| MD5 | d455404ccf602c6f62ee5d66e8c920c2 |
| SHA1 | 4efa2b37784fa4d02f522688c59cc09eca6c3b59 |
| SHA256 | bf35ab0452d63c96d2c186a015bb398157adcb5fac907c74ac0f5e53e5e246cf |
| SHA512 | a026764e816242f58ec8c0c74c7c46ff42aa4c8a83216f46fbc50a8a2513f0c9bfbf5e6901ec0f41f18dd31899a8fc78c3964358a8ad5ef34995b43814ca34b6 |
C:\Users\Admin\AppData\Local\Temp\C7BB.exe
| MD5 | d455404ccf602c6f62ee5d66e8c920c2 |
| SHA1 | 4efa2b37784fa4d02f522688c59cc09eca6c3b59 |
| SHA256 | bf35ab0452d63c96d2c186a015bb398157adcb5fac907c74ac0f5e53e5e246cf |
| SHA512 | a026764e816242f58ec8c0c74c7c46ff42aa4c8a83216f46fbc50a8a2513f0c9bfbf5e6901ec0f41f18dd31899a8fc78c3964358a8ad5ef34995b43814ca34b6 |
C:\Users\Admin\AppData\Local\Temp\C981.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
C:\Users\Admin\AppData\Local\Temp\C981.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/1340-142-0x0000000000000000-mapping.dmp
memory/3332-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E6FD.exe
| MD5 | 759c12b796e6748a79b1317056194a6d |
| SHA1 | 2931c81c3d03d8c2bf7e47cda59c46059c07bab8 |
| SHA256 | d9ca3bd415f28b6e760fc9e501f65c2293d59666a9a9445a56d054f3e0c35b93 |
| SHA512 | e4940185b7923d93060c33f0fe220216c97bbdf2b1bc62ab9965882f82a8ec7d262fc66fa6f96d6d5cf8790cbf3aa4c7be652fd713b415ff7ff966d8a0411cab |
C:\Users\Admin\AppData\Local\Temp\E6FD.exe
| MD5 | 759c12b796e6748a79b1317056194a6d |
| SHA1 | 2931c81c3d03d8c2bf7e47cda59c46059c07bab8 |
| SHA256 | d9ca3bd415f28b6e760fc9e501f65c2293d59666a9a9445a56d054f3e0c35b93 |
| SHA512 | e4940185b7923d93060c33f0fe220216c97bbdf2b1bc62ab9965882f82a8ec7d262fc66fa6f96d6d5cf8790cbf3aa4c7be652fd713b415ff7ff966d8a0411cab |
memory/3332-148-0x0000000000C30000-0x0000000001C1A000-memory.dmp
memory/3616-150-0x0000000000000000-mapping.dmp
memory/2456-151-0x00000000005B0000-0x00000000005FB000-memory.dmp
memory/2456-152-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E95F.exe
| MD5 | 66a745129dab9c8a13b1018441b25b73 |
| SHA1 | 6a6cfda8038ae29e6a300c642e97c437e5f2ba63 |
| SHA256 | 6e58eca1768d8e2705eaebe545a3522fd3f5af823bf862f9a7d00e95741ebe9b |
| SHA512 | 33812fbc2e6d04919d366ae0aad5f2a9fe8920bfa55ae220773ad9afd54327d9c560a8964d0c348784e643fdf7325a5452a97500458d0a81241ac5c339829af1 |
C:\Users\Admin\AppData\Local\Temp\E95F.exe
| MD5 | 66a745129dab9c8a13b1018441b25b73 |
| SHA1 | 6a6cfda8038ae29e6a300c642e97c437e5f2ba63 |
| SHA256 | 6e58eca1768d8e2705eaebe545a3522fd3f5af823bf862f9a7d00e95741ebe9b |
| SHA512 | 33812fbc2e6d04919d366ae0aad5f2a9fe8920bfa55ae220773ad9afd54327d9c560a8964d0c348784e643fdf7325a5452a97500458d0a81241ac5c339829af1 |
memory/2456-149-0x00000000007FE000-0x000000000082C000-memory.dmp
memory/2456-155-0x0000000004A90000-0x0000000005034000-memory.dmp
memory/3892-156-0x0000000000000000-mapping.dmp
memory/3264-160-0x0000000000560000-0x0000000000569000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EC0F.exe
| MD5 | be5e1dfbd95462619b4601bfe118a62a |
| SHA1 | 701471601072de24e846db769748ed4dbbfd07af |
| SHA256 | c0b571fa3068ce06230d83269dd58f5d5335f602ae5c5d0631a71efb2749a4b0 |
| SHA512 | 2a4aa496e864ca9f7600abfef23996c4c7705bb03cae30dfa7da8b7a1284517984dc22abadcd505f46daeef40f6ea6c15cb1ce57cc2e66e139e1669f9bdfc4fb |
memory/3264-161-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EC0F.exe
| MD5 | be5e1dfbd95462619b4601bfe118a62a |
| SHA1 | 701471601072de24e846db769748ed4dbbfd07af |
| SHA256 | c0b571fa3068ce06230d83269dd58f5d5335f602ae5c5d0631a71efb2749a4b0 |
| SHA512 | 2a4aa496e864ca9f7600abfef23996c4c7705bb03cae30dfa7da8b7a1284517984dc22abadcd505f46daeef40f6ea6c15cb1ce57cc2e66e139e1669f9bdfc4fb |
memory/3332-157-0x00007FF81BAF0000-0x00007FF81C5B1000-memory.dmp
memory/4316-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F018.exe
| MD5 | c6917bc242058814f64360de5b4320be |
| SHA1 | 4c1959cc707acb43a1466d166e151c517164edc2 |
| SHA256 | 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516 |
| SHA512 | 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb |
memory/2456-165-0x0000000005060000-0x0000000005678000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F018.exe
| MD5 | c6917bc242058814f64360de5b4320be |
| SHA1 | 4c1959cc707acb43a1466d166e151c517164edc2 |
| SHA256 | 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516 |
| SHA512 | 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb |
memory/2456-166-0x0000000005700000-0x000000000580A000-memory.dmp
memory/3264-167-0x00000000007CE000-0x00000000007E4000-memory.dmp
memory/1340-169-0x0000000004EA0000-0x0000000004FBB000-memory.dmp
memory/2456-168-0x0000000005840000-0x0000000005852000-memory.dmp
memory/4236-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C981.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/4236-174-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4236-172-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2456-170-0x0000000005860000-0x000000000589C000-memory.dmp
memory/4236-177-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Roaming\bkbnbqbtqbre.exe
| MD5 | a571e4d8f9c450f2c256e3ca4ed01f59 |
| SHA1 | acae29d7d8ca985b369525b4defdca4962592b4e |
| SHA256 | 8d7d5abf2d92e4951e29b59140f182c582c335d8957435bea2f539b7ad7a3b0e |
| SHA512 | 068807a6b03b6833e6531e04b4795b95e0c116e494af942bbd88c23abb9c0a22913120aa10ce05d1d81413e474cb64d64512d78a3a2878dacb2d943205cd10b0 |
C:\Users\Admin\AppData\Roaming\bkbnbqbtqbre.exe
| MD5 | a571e4d8f9c450f2c256e3ca4ed01f59 |
| SHA1 | acae29d7d8ca985b369525b4defdca4962592b4e |
| SHA256 | 8d7d5abf2d92e4951e29b59140f182c582c335d8957435bea2f539b7ad7a3b0e |
| SHA512 | 068807a6b03b6833e6531e04b4795b95e0c116e494af942bbd88c23abb9c0a22913120aa10ce05d1d81413e474cb64d64512d78a3a2878dacb2d943205cd10b0 |
memory/4276-176-0x0000000000000000-mapping.dmp
memory/1340-175-0x0000000004C22000-0x0000000004CB3000-memory.dmp
memory/4236-181-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3332-182-0x00007FF81BAF0000-0x00007FF81C5B1000-memory.dmp
memory/3264-183-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3512-184-0x0000000000000000-mapping.dmp
memory/4316-186-0x0000000002BA0000-0x0000000002CA0000-memory.dmp
memory/5000-185-0x0000000000000000-mapping.dmp
memory/4316-187-0x0000000004690000-0x0000000004699000-memory.dmp
memory/4316-188-0x0000000000400000-0x0000000002B9D000-memory.dmp
memory/4584-189-0x0000000000000000-mapping.dmp
memory/956-190-0x0000000000000000-mapping.dmp
memory/2456-191-0x0000000005B50000-0x0000000005BE2000-memory.dmp
memory/2456-192-0x0000000005BF0000-0x0000000005C56000-memory.dmp
memory/540-193-0x0000000000000000-mapping.dmp
memory/876-194-0x0000000000000000-mapping.dmp
memory/3616-195-0x000000000060D000-0x000000000063C000-memory.dmp
memory/3616-196-0x0000000000400000-0x0000000000470000-memory.dmp
memory/3892-197-0x000000000078D000-0x00000000007A3000-memory.dmp
memory/3892-198-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\d0e99dbe-b45e-4620-8cd2-ab646525a702\C981.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/4516-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C981.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/4236-202-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4316-203-0x0000000000400000-0x0000000002B9D000-memory.dmp
memory/2456-204-0x00000000007FE000-0x000000000082C000-memory.dmp
memory/2456-205-0x0000000006540000-0x0000000006702000-memory.dmp
memory/2456-206-0x0000000006720000-0x0000000006C4C000-memory.dmp
memory/2456-207-0x00000000007FE000-0x000000000082C000-memory.dmp
memory/2456-208-0x0000000000400000-0x0000000000470000-memory.dmp
memory/5068-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C981.exe
| MD5 | 5a4646dc1e0caa4a0c2da0ddb1c7e97f |
| SHA1 | bd57414c9549641a54a27cb7868d318689685938 |
| SHA256 | 9fe04c781e72a87b131df24fa7f16567fcfe4c16c8e812650e5d583c65e6e3ba |
| SHA512 | 6faf7a612b810595d44bbe8bf0c0637a76794d2831e85e4f0377b6fca0ee5383f364f5b3c0c87dc17d3ac13b7cfc43a738e64bc0fd129fa0921c7d87f0b9b651 |
memory/5068-212-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5068-214-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4516-213-0x0000000004BBC000-0x0000000004C4D000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | deb5907196e6e5e0e915c276f65a6924 |
| SHA1 | 62802115ee04a17e66297fbfd5ab8d933040ffdb |
| SHA256 | 48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1 |
| SHA512 | 4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 36f8b931f9d415767f17a362d48051b7 |
| SHA1 | a09c9065d1a6384073ce0e7c9d34b0c9f602752a |
| SHA256 | fa9864dcf8b3e672c451997034212372e6aeff980cfafb6efc2548a674483e29 |
| SHA512 | 4708c98a7e412a681dfbd43eb2a99abfc5f865e33d6f143627b3b25d035cc03465c3e387a5f640ebcb3d78105480bc915306601bef55759b01db384ddf322a4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 61a9f01083346a0ee40dc68983932b14 |
| SHA1 | 85737a00e510acc709a5ea03d04a666bf41eb912 |
| SHA256 | db745e7939f305e69baa8e6fda50687f545b5b9af3cffbd290f1223d7956c1e7 |
| SHA512 | 80edf82ede77a5657e92ca9c6ec45fe28118f1f0372d33e377185f7043580ee136927922556795552b41b9bd03aaef9a0273758af375b56ad4470aa23ac88349 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 292c6771dcf705e74ec5d84f7390d013 |
| SHA1 | e9d7220b2cd4bbfdb0926f1330e2241e469c07ad |
| SHA256 | 8933739b565d4e6c4d562ae29cf916234b22c9a0b2f3e1a7a47bdeacec15cb93 |
| SHA512 | 034946f78fbb48658ca787f2c4014950ae2b1c5641b35a76478168db53813198d072c8abcb34d1fd4d249502b0f37609a0da4096b999089be4d64156d939d0a4 |
memory/5068-219-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3616-220-0x000000000060D000-0x000000000063C000-memory.dmp
memory/3616-221-0x000000000060D000-0x000000000063C000-memory.dmp
memory/3616-222-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe
| MD5 | 19b18ab424c9bfe498094eab6e124eb8 |
| SHA1 | b78148d95360125fe8e778bbff8d41eb58c48ede |
| SHA256 | f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956 |
| SHA512 | 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b |
memory/5072-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe
| MD5 | 19b18ab424c9bfe498094eab6e124eb8 |
| SHA1 | b78148d95360125fe8e778bbff8d41eb58c48ede |
| SHA256 | f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956 |
| SHA512 | 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b |
memory/1036-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4912-229-0x0000000000000000-mapping.dmp
memory/1060-230-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\560fc8bf-0b06-47f6-b477-a98d4489978e\build2.exe
| MD5 | 19b18ab424c9bfe498094eab6e124eb8 |
| SHA1 | b78148d95360125fe8e778bbff8d41eb58c48ede |
| SHA256 | f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956 |
| SHA512 | 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b |
memory/1060-231-0x0000000000400000-0x0000000000461000-memory.dmp
memory/1060-233-0x0000000000400000-0x0000000000461000-memory.dmp
memory/5072-235-0x00000000007FD000-0x000000000082A000-memory.dmp
memory/5072-236-0x00000000006C0000-0x000000000070C000-memory.dmp
memory/1060-234-0x0000000000400000-0x0000000000461000-memory.dmp
memory/1060-237-0x0000000000400000-0x0000000000461000-memory.dmp
memory/5068-238-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1060-239-0x0000000060900000-0x0000000060992000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/1724-260-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\795D.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
C:\Users\Admin\AppData\Local\Temp\795D.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
memory/1724-263-0x00000000006F0000-0x00000000006F8000-memory.dmp
memory/1724-264-0x00007FF81B7B0000-0x00007FF81C271000-memory.dmp
memory/3776-265-0x0000000000000000-mapping.dmp
memory/1060-266-0x0000000000400000-0x0000000000461000-memory.dmp
memory/4080-267-0x0000000000000000-mapping.dmp
memory/1624-268-0x0000000000000000-mapping.dmp
memory/1624-269-0x0000000000940000-0x0000000000947000-memory.dmp
memory/1624-270-0x0000000000930000-0x000000000093B000-memory.dmp
memory/2552-271-0x0000000000000000-mapping.dmp
memory/2552-272-0x0000000000BC0000-0x0000000000BC9000-memory.dmp
memory/2552-273-0x0000000000BB0000-0x0000000000BBF000-memory.dmp
memory/4764-274-0x0000000000000000-mapping.dmp
memory/4764-275-0x0000000000E70000-0x0000000000E75000-memory.dmp
memory/4764-276-0x0000000000E60000-0x0000000000E69000-memory.dmp
memory/1892-277-0x0000000000000000-mapping.dmp
memory/1892-278-0x0000000000BE0000-0x0000000000BE6000-memory.dmp
memory/1892-279-0x0000000000BD0000-0x0000000000BDC000-memory.dmp
memory/3164-280-0x0000000000000000-mapping.dmp
memory/3164-281-0x0000000001030000-0x0000000001052000-memory.dmp
memory/3164-282-0x0000000001000000-0x0000000001027000-memory.dmp
memory/1832-283-0x0000000000000000-mapping.dmp
memory/1832-284-0x0000000000940000-0x0000000000945000-memory.dmp
memory/1832-285-0x0000000000930000-0x0000000000939000-memory.dmp
memory/2320-286-0x0000000000000000-mapping.dmp
memory/2320-287-0x0000000000940000-0x0000000000946000-memory.dmp
memory/2320-288-0x0000000000930000-0x000000000093B000-memory.dmp
memory/4480-289-0x0000000000000000-mapping.dmp
memory/3328-292-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/876-304-0x0000000000000000-mapping.dmp