Malware Analysis Report

2025-05-05 23:53

Sample ID 230110-qr3k6agb67
Target 3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82
SHA256 3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82
Tags
aurora dcrat djvu icedid smokeloader vidar 19 3131022508 backdoor banker discovery infostealer loader persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82

Threat Level: Known bad

The file 3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82 was found to be: Known bad.

Malicious Activity Summary

aurora dcrat djvu icedid smokeloader vidar 19 3131022508 backdoor banker discovery infostealer loader persistence ransomware rat spyware stealer trojan

Aurora

IcedID, BokBot

DcRat

Djvu Ransomware

Detected Djvu ransomware

SmokeLoader

Vidar

Detects Smokeloader packer

Executes dropped EXE

Downloads MZ/PE file

Blocklisted process makes network request

Uses the VBS compiler for execution

Checks computer location settings

Modifies file permissions

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

GoLang User-Agent

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-10 13:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-10 13:30

Reported

2023-01-10 13:33

Platform

win10v2004-20220901-en

Max time kernel

151s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe"

Signatures

Aurora

stealer aurora

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1e45a0dc-a7f4-4852-85c4-e4b3af3dd67c\\131E.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\131E.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

IcedID, BokBot

trojan banker icedid

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\131E.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\131E.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1e45a0dc-a7f4-4852-85c4-e4b3af3dd67c\\131E.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\131E.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FA2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\yGion09O4J.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FA2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FA2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\yGion09O4J.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\yGion09O4J.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002a56046c100054656d7000003a0009000400efbe21550a582a56066c2e0000000000000000000000000000000000000000000000000009751b01540065006d007000000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FA2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yGion09O4J.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D3F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BC7.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC7.exe
PID 3036 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC7.exe
PID 3036 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC7.exe
PID 3036 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3F.exe
PID 3036 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3F.exe
PID 3036 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3F.exe
PID 3036 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA2.exe
PID 3036 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA2.exe
PID 3036 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA2.exe
PID 3036 wrote to memory of 3172 N/A N/A C:\Users\Admin\AppData\Local\Temp\10FB.exe
PID 3036 wrote to memory of 3172 N/A N/A C:\Users\Admin\AppData\Local\Temp\10FB.exe
PID 3036 wrote to memory of 3172 N/A N/A C:\Users\Admin\AppData\Local\Temp\10FB.exe
PID 3036 wrote to memory of 4824 N/A N/A C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 3036 wrote to memory of 4824 N/A N/A C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 3036 wrote to memory of 4824 N/A N/A C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 3036 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\18AD.exe
PID 3036 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\18AD.exe
PID 3036 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\18AD.exe
PID 3036 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B7D.exe
PID 3036 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B7D.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4824 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 2296 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Windows\SysWOW64\icacls.exe
PID 2296 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Windows\SysWOW64\icacls.exe
PID 2296 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Windows\SysWOW64\icacls.exe
PID 2296 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 2296 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 2296 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 5004 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\Temp\131E.exe
PID 4548 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe
PID 4548 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe
PID 4548 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe
PID 4548 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe
PID 4548 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe
PID 4548 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\131E.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe
PID 2960 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 456 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\18AD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 456 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\18AD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 456 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\18AD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 456 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\18AD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 456 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\18AD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2820 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe
PID 2820 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe
PID 2820 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe
PID 2820 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe

"C:\Users\Admin\AppData\Local\Temp\3fb18ee962258b75e3650c0ba5e7c9f12aa6569f923ea9228f94192fdd093c82.exe"

C:\Users\Admin\AppData\Local\Temp\BC7.exe

C:\Users\Admin\AppData\Local\Temp\BC7.exe

C:\Users\Admin\AppData\Local\Temp\D3F.exe

C:\Users\Admin\AppData\Local\Temp\D3F.exe

C:\Users\Admin\AppData\Local\Temp\FA2.exe

C:\Users\Admin\AppData\Local\Temp\FA2.exe

C:\Users\Admin\AppData\Local\Temp\10FB.exe

C:\Users\Admin\AppData\Local\Temp\10FB.exe

C:\Users\Admin\AppData\Local\Temp\131E.exe

C:\Users\Admin\AppData\Local\Temp\131E.exe

C:\Users\Admin\AppData\Local\Temp\18AD.exe

C:\Users\Admin\AppData\Local\Temp\18AD.exe

C:\Users\Admin\AppData\Local\Temp\1B7D.exe

C:\Users\Admin\AppData\Local\Temp\1B7D.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3172 -ip 3172

C:\Users\Admin\AppData\Local\Temp\131E.exe

C:\Users\Admin\AppData\Local\Temp\131E.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 344

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1e45a0dc-a7f4-4852-85c4-e4b3af3dd67c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\131E.exe

"C:\Users\Admin\AppData\Local\Temp\131E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\131E.exe

"C:\Users\Admin\AppData\Local\Temp\131E.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2096 -ip 2096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2320 -ip 2320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1236

C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe

"C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe"

C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe

"C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 260

C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe

"C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\Temp\CE92.exe

C:\Users\Admin\AppData\Local\Temp\CE92.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\yGion09O4J.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp",Fwpthq

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 544

C:\Users\Admin\AppData\Local\Temp\E9EB.exe

C:\Users\Admin\AppData\Local\Temp\E9EB.exe

C:\Users\Admin\AppData\Local\Temp\yGion09O4J.exe

"C:\Users\Admin\AppData\Local\Temp\yGion09O4J.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe" & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4084 -ip 4084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1320

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 22815

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\8570.exe

C:\Users\Admin\AppData\Local\Temp\8570.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 potunulit.org udp
N/A 188.114.97.0:80 potunulit.org tcp
N/A 194.110.203.101:80 194.110.203.101 tcp
N/A 8.8.8.8:53 polyzi.com udp
N/A 95.217.49.230:443 polyzi.com tcp
N/A 20.42.65.89:443 tcp
N/A 8.8.8.8:53 wagringamuk.com udp
N/A 162.33.179.231:80 wagringamuk.com tcp
N/A 91.215.85.155:32796 tcp
N/A 91.215.85.155:32796 tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 8.8.8.8:53 uaery.top udp
N/A 8.8.8.8:53 spaceris.com udp
N/A 200.46.66.71:80 uaery.top tcp
N/A 222.236.49.124:80 spaceris.com tcp
N/A 222.236.49.124:80 spaceris.com tcp
N/A 8.8.8.8:53 mightys.at udp
N/A 195.158.3.162:80 mightys.at tcp
N/A 82.115.223.77:8081 tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 213.227.155.191:80 213.227.155.191 tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 185.106.94.35:80 185.106.94.35 tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 8.8.8.8:53 t.me udp
N/A 149.154.167.99:443 t.me tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 142.132.168.13:80 142.132.168.13 tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 167.179.109.242:80 167.179.109.242 tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 195.158.3.162:80 mightys.at tcp
N/A 217.12.206.197:80 217.12.206.197 tcp
N/A 162.33.179.231:80 wagringamuk.com tcp
N/A 127.0.0.1:22815 tcp
N/A 127.0.0.1:1312 tcp
N/A 8.8.8.8:53 c3g6gx853u6j.xyz udp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 8.8.8.8:53 transfer.sh udp
N/A 144.76.136.153:443 transfer.sh tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 8.8.8.8:53 github.com udp
N/A 140.82.114.4:443 github.com tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp

Files

memory/516-132-0x0000000002E0D000-0x0000000002E1D000-memory.dmp

memory/516-133-0x0000000002D40000-0x0000000002D49000-memory.dmp

memory/516-134-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/516-135-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/2320-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BC7.exe

MD5 e08ace03d3b8b0487b4e957f08a42522
SHA1 c8453bfa0170352e40cc45bd0ddcabd3cfcf132f
SHA256 baffde12e7be19f393db534c1fe1125f334e68fb8ae5280d51fb81179530f0cc
SHA512 2570ee6e7567e58d111953bc63eedf76ff1ea7e19683e74a404113790e4da660b988af3422c411ba5b0a534558fae7cdff0f490d89f21630e5fda7bb67cac142

C:\Users\Admin\AppData\Local\Temp\BC7.exe

MD5 e08ace03d3b8b0487b4e957f08a42522
SHA1 c8453bfa0170352e40cc45bd0ddcabd3cfcf132f
SHA256 baffde12e7be19f393db534c1fe1125f334e68fb8ae5280d51fb81179530f0cc
SHA512 2570ee6e7567e58d111953bc63eedf76ff1ea7e19683e74a404113790e4da660b988af3422c411ba5b0a534558fae7cdff0f490d89f21630e5fda7bb67cac142

memory/2096-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D3F.exe

MD5 43b7d66a464999baa79dcad6c123ec0a
SHA1 50b52e3fad9e810d0d200bd1552399d3aeb10830
SHA256 d54f08081e60420e5aec8984e58a0d37b86ac740b7c41a039e73af00cb420def
SHA512 c8b9e8731b5b3901b2226462035d5f94fd648f831c7bf446bf6ed13a9228b0cb0ce0ba4080f0ff961c1e401456acbea77fefb0f323352f1bb087d77d4c06bb0d

C:\Users\Admin\AppData\Local\Temp\D3F.exe

MD5 43b7d66a464999baa79dcad6c123ec0a
SHA1 50b52e3fad9e810d0d200bd1552399d3aeb10830
SHA256 d54f08081e60420e5aec8984e58a0d37b86ac740b7c41a039e73af00cb420def
SHA512 c8b9e8731b5b3901b2226462035d5f94fd648f831c7bf446bf6ed13a9228b0cb0ce0ba4080f0ff961c1e401456acbea77fefb0f323352f1bb087d77d4c06bb0d

memory/3560-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FA2.exe

MD5 d269413f30fdcb4eefd5fdc949d3da12
SHA1 e1ad60046dc9ed158d64c0f91c4d9404a3ceb4fd
SHA256 e20058499d2c5532acdc8abce8b340578a75fbb60b2a87e769a0db3d5c9bbda1
SHA512 c02036f7d528c434d81d7a1a79e27fb10ff6bc3b1b7f53ca8cc3df75c6f314e4ad63adb3e93bcc0d17b2a1ed406b38f2300403e0b3004f90e76a3666c0dae9b2

C:\Users\Admin\AppData\Local\Temp\FA2.exe

MD5 d269413f30fdcb4eefd5fdc949d3da12
SHA1 e1ad60046dc9ed158d64c0f91c4d9404a3ceb4fd
SHA256 e20058499d2c5532acdc8abce8b340578a75fbb60b2a87e769a0db3d5c9bbda1
SHA512 c02036f7d528c434d81d7a1a79e27fb10ff6bc3b1b7f53ca8cc3df75c6f314e4ad63adb3e93bcc0d17b2a1ed406b38f2300403e0b3004f90e76a3666c0dae9b2

memory/3172-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10FB.exe

MD5 f97b489f2d483199efc2faa9b9429657
SHA1 af6e90eb87a7ee96295cf4c3f72c9805565ae6ac
SHA256 7698ac8df6e93f4b740c28481c8b420071491d4f8316260dbd803db5726f48cd
SHA512 cef85681dd0845e6743a38c212506a8311d1d3b6748eeb3cd0c8877b7817d3307d554b083b3fee765e0f24a58deded73ddcbc11ef4bf4c1688dfcbcf8a31001d

C:\Users\Admin\AppData\Local\Temp\10FB.exe

MD5 f97b489f2d483199efc2faa9b9429657
SHA1 af6e90eb87a7ee96295cf4c3f72c9805565ae6ac
SHA256 7698ac8df6e93f4b740c28481c8b420071491d4f8316260dbd803db5726f48cd
SHA512 cef85681dd0845e6743a38c212506a8311d1d3b6748eeb3cd0c8877b7817d3307d554b083b3fee765e0f24a58deded73ddcbc11ef4bf4c1688dfcbcf8a31001d

memory/4824-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\131E.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

C:\Users\Admin\AppData\Local\Temp\131E.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

memory/456-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\18AD.exe

MD5 1a4261cbca6e08e1d1db27e28f24f79f
SHA1 6dcadc198a6ca77fcca32f5241f880e7ca583739
SHA256 00151824f029662701f6aa7b8e2f629193a5b186aff19b5abb9c68665bd456bc
SHA512 d8490b3d3174b7865a457f9b38153a1d55f3c61f973561d0a7ce23bc45f74259107ee26866c5c43bc2f2adccf2f6af9738031fc72e2c5a5e71eab8b229ea6531

memory/4600-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1B7D.exe

MD5 02ff76dbe2bb9fc49ddea931896601d3
SHA1 037f7708d988957d49243b2e93df0878e22e0030
SHA256 30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0
SHA512 79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

C:\Users\Admin\AppData\Local\Temp\1B7D.exe

MD5 02ff76dbe2bb9fc49ddea931896601d3
SHA1 037f7708d988957d49243b2e93df0878e22e0030
SHA256 30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0
SHA512 79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

memory/4600-156-0x0000000000400000-0x00000000004C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\18AD.exe

MD5 1a4261cbca6e08e1d1db27e28f24f79f
SHA1 6dcadc198a6ca77fcca32f5241f880e7ca583739
SHA256 00151824f029662701f6aa7b8e2f629193a5b186aff19b5abb9c68665bd456bc
SHA512 d8490b3d3174b7865a457f9b38153a1d55f3c61f973561d0a7ce23bc45f74259107ee26866c5c43bc2f2adccf2f6af9738031fc72e2c5a5e71eab8b229ea6531

memory/4600-158-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4600-157-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2320-165-0x0000000002BFD000-0x0000000002C2B000-memory.dmp

memory/2320-166-0x00000000047E0000-0x000000000482B000-memory.dmp

memory/2320-167-0x0000000007280000-0x0000000007824000-memory.dmp

memory/2320-168-0x0000000000400000-0x0000000002BCB000-memory.dmp

memory/2096-169-0x0000000007960000-0x0000000007F78000-memory.dmp

memory/2096-171-0x0000000007280000-0x000000000738A000-memory.dmp

memory/2320-172-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/2096-173-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/2096-170-0x0000000002C3D000-0x0000000002C6B000-memory.dmp

memory/2096-174-0x0000000000400000-0x0000000002BCC000-memory.dmp

memory/3560-175-0x0000000002D00000-0x0000000002D09000-memory.dmp

memory/3560-176-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/3172-177-0x0000000002CB0000-0x0000000002CB9000-memory.dmp

memory/2296-178-0x0000000000000000-mapping.dmp

memory/2296-181-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4824-182-0x0000000002CEA000-0x0000000002D7B000-memory.dmp

memory/2296-183-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4824-184-0x00000000049E0000-0x0000000004AFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\131E.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

memory/2296-179-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3172-185-0x0000000000400000-0x0000000002BAE000-memory.dmp

memory/3172-186-0x0000000002E5D000-0x0000000002E6D000-memory.dmp

memory/3560-187-0x0000000002D9D000-0x0000000002DAD000-memory.dmp

memory/2296-188-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4172-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\1e45a0dc-a7f4-4852-85c4-e4b3af3dd67c\131E.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

memory/2296-192-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5004-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\131E.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

memory/3560-194-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/2320-196-0x00000000082B0000-0x0000000008342000-memory.dmp

memory/2096-195-0x00000000082B0000-0x0000000008316000-memory.dmp

memory/2320-197-0x0000000008A70000-0x0000000008C32000-memory.dmp

memory/2320-198-0x0000000008C40000-0x000000000916C000-memory.dmp

memory/4548-199-0x0000000000000000-mapping.dmp

memory/4548-202-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5004-203-0x00000000048E6000-0x0000000004977000-memory.dmp

memory/4548-204-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\131E.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 61a9f01083346a0ee40dc68983932b14
SHA1 85737a00e510acc709a5ea03d04a666bf41eb912
SHA256 db745e7939f305e69baa8e6fda50687f545b5b9af3cffbd290f1223d7956c1e7
SHA512 80edf82ede77a5657e92ca9c6ec45fe28118f1f0372d33e377185f7043580ee136927922556795552b41b9bd03aaef9a0273758af375b56ad4470aa23ac88349

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 6d37194c95a4332a1f227d34729c7d2c
SHA1 d79a1176a9c8ae193e86a6f876dd6114edc8e416
SHA256 885cf14d97d812f8fd88e2f0d732e42acc87997ad485e391a271bb8051cc1f59
SHA512 96bcf754a44975efdf3704d1de635501a982b5eb755d28e2a0815d0b9c43a64c5b3a9c5181100f78f885fc4fb2b38eab957726436f015258ba7f5721005cb8f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 deb5907196e6e5e0e915c276f65a6924
SHA1 62802115ee04a17e66297fbfd5ab8d933040ffdb
SHA256 48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1
SHA512 4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 df2a3cc07fe69b9639fca9387b548173
SHA1 8747005cc4667cd2c9a4f022ce1e307f12e5bd17
SHA256 89d02ce7af82317cad9d21598ff963b2ed3885b0bba8d7b360c75892de6cc923
SHA512 7c92abefc6d93f49256154a94ca88897ca791d90fd478656e6060f9031c21f49660d1aa4136e66ed574c0fdbe8ac1fce269d939be837327df3f5d35c63061571

memory/4548-209-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2320-210-0x0000000002BFD000-0x0000000002C2B000-memory.dmp

memory/2096-211-0x0000000002C3D000-0x0000000002C6B000-memory.dmp

memory/2820-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe

MD5 19b18ab424c9bfe498094eab6e124eb8
SHA1 b78148d95360125fe8e778bbff8d41eb58c48ede
SHA256 f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956
SHA512 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b

C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe

MD5 19b18ab424c9bfe498094eab6e124eb8
SHA1 b78148d95360125fe8e778bbff8d41eb58c48ede
SHA256 f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956
SHA512 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b

memory/2096-215-0x0000000002C3D000-0x0000000002C6B000-memory.dmp

memory/2320-216-0x0000000000400000-0x0000000002BCB000-memory.dmp

memory/2096-217-0x0000000000400000-0x0000000002BCC000-memory.dmp

C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1312-221-0x0000000000000000-mapping.dmp

memory/2960-218-0x0000000000000000-mapping.dmp

memory/1556-222-0x0000000000000000-mapping.dmp

memory/1556-223-0x0000000000400000-0x0000000000876000-memory.dmp

memory/456-225-0x00000000007B0000-0x0000000000C2E000-memory.dmp

memory/1556-233-0x0000000000400000-0x0000000000876000-memory.dmp

memory/4548-234-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-235-0x0000000000000000-mapping.dmp

memory/2480-236-0x0000000000400000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Local\7aae5e12-6199-4e8b-8b51-9f8399553937\build2.exe

MD5 19b18ab424c9bfe498094eab6e124eb8
SHA1 b78148d95360125fe8e778bbff8d41eb58c48ede
SHA256 f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956
SHA512 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b

memory/2480-238-0x0000000000400000-0x0000000000461000-memory.dmp

memory/2820-239-0x000000000078D000-0x00000000007BA000-memory.dmp

memory/2820-241-0x00000000006C0000-0x000000000070C000-memory.dmp

memory/2480-240-0x0000000000400000-0x0000000000461000-memory.dmp

memory/1152-242-0x0000000000000000-mapping.dmp

memory/2480-243-0x0000000000400000-0x0000000000461000-memory.dmp

memory/1468-244-0x0000000000000000-mapping.dmp

memory/1840-245-0x0000000000000000-mapping.dmp

memory/4204-246-0x0000000000000000-mapping.dmp

memory/2340-247-0x0000000000000000-mapping.dmp

memory/5024-248-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CE92.exe

MD5 cf04ba4779867c0726c69e230e145fd8
SHA1 ce8a5522d32cee3d9da5584d432f61b1e122cbc8
SHA256 d3eef85b7fc5291b76a569864b5e35b471d838b897a9c4f73915698b1826d4bd
SHA512 7b800b136a4356bcfe51d6709b623c8467b16fc0d5b4df07eeac8e045cedf39b2df55318c08d25b2e276559e8abce293f97c1862e4505cc6b4c8e1d24713f877

C:\Users\Admin\AppData\Local\Temp\CE92.exe

MD5 cf04ba4779867c0726c69e230e145fd8
SHA1 ce8a5522d32cee3d9da5584d432f61b1e122cbc8
SHA256 d3eef85b7fc5291b76a569864b5e35b471d838b897a9c4f73915698b1826d4bd
SHA512 7b800b136a4356bcfe51d6709b623c8467b16fc0d5b4df07eeac8e045cedf39b2df55318c08d25b2e276559e8abce293f97c1862e4505cc6b4c8e1d24713f877

memory/3344-251-0x0000000000000000-mapping.dmp

memory/3344-252-0x0000000002A90000-0x0000000002AC6000-memory.dmp

memory/3344-253-0x0000000005610000-0x0000000005C38000-memory.dmp

memory/3344-254-0x00000000054C0000-0x00000000054E2000-memory.dmp

memory/3344-255-0x0000000005CB0000-0x0000000005D16000-memory.dmp

memory/5024-256-0x00000000048FB000-0x00000000049E4000-memory.dmp

memory/988-257-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp

MD5 0a6c58fc386c9a4d7d43b809447f3eac
SHA1 b07d0ae1180e21bf79b3b720d9e03e2b7982972d
SHA256 d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2
SHA512 e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp

MD5 0a6c58fc386c9a4d7d43b809447f3eac
SHA1 b07d0ae1180e21bf79b3b720d9e03e2b7982972d
SHA256 d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2
SHA512 e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

memory/5024-260-0x0000000000400000-0x0000000002C86000-memory.dmp

memory/3344-261-0x0000000006390000-0x00000000063AE000-memory.dmp

memory/2480-262-0x0000000060900000-0x0000000060992000-memory.dmp

memory/5024-266-0x00000000049F0000-0x0000000004B1C000-memory.dmp

memory/5024-277-0x0000000000400000-0x0000000002C86000-memory.dmp

memory/5024-279-0x00000000048FB000-0x00000000049E4000-memory.dmp

C:\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

C:\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

memory/4084-286-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E9EB.exe

MD5 bd9c39e41636bf3963a157a76ac72994
SHA1 ae616d1ad63fa96706e3f62784c7ac785c5011a1
SHA256 8ce027a511fadcfaf4da6a5cbbecb238fcbfa4fd93a8135ae56289d612be54b5
SHA512 799df59517215ed7a649e290d36e478e068e4243db18918575cb755a43eb60f68c3ee96267b7f09db707fd611dbe1b69202e04c11196980ab2550444702cfd8c

C:\Users\Admin\AppData\Local\Temp\E9EB.exe

MD5 bd9c39e41636bf3963a157a76ac72994
SHA1 ae616d1ad63fa96706e3f62784c7ac785c5011a1
SHA256 8ce027a511fadcfaf4da6a5cbbecb238fcbfa4fd93a8135ae56289d612be54b5
SHA512 799df59517215ed7a649e290d36e478e068e4243db18918575cb755a43eb60f68c3ee96267b7f09db707fd611dbe1b69202e04c11196980ab2550444702cfd8c

memory/3344-289-0x0000000006900000-0x0000000006996000-memory.dmp

memory/3344-290-0x0000000006890000-0x00000000068AA000-memory.dmp

memory/3344-291-0x00000000069A0000-0x00000000069C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yGion09O4J.exe

MD5 c6917bc242058814f64360de5b4320be
SHA1 4c1959cc707acb43a1466d166e151c517164edc2
SHA256 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516
SHA512 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

memory/2284-293-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\yGion09O4J.exe

MD5 c6917bc242058814f64360de5b4320be
SHA1 4c1959cc707acb43a1466d166e151c517164edc2
SHA256 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516
SHA512 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

memory/2480-295-0x0000000000400000-0x0000000000461000-memory.dmp

memory/3076-296-0x0000000000000000-mapping.dmp

memory/2480-297-0x0000000000400000-0x0000000000461000-memory.dmp

memory/5076-298-0x0000000000000000-mapping.dmp

memory/4084-299-0x0000000002E9D000-0x0000000002EB7000-memory.dmp

memory/4084-300-0x0000000002E10000-0x0000000002E3A000-memory.dmp

memory/4084-301-0x0000000000400000-0x0000000002BB7000-memory.dmp

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 8a11f355b2ad76b53abb941d2bad4e5c
SHA1 0bd27c91ca1c20e1875fdc1b2926eee70bc5fb90
SHA256 266f25d5478eeaccf96a22254e487d10637474793791428d18edd2225ec71516
SHA512 58bd40d4c8a25243fe5959ca6d9b29230089b7508a5ccdf3fdaede242ed188954f0e9c7b18b4ae9bb3300da605acf7da7c22668735fb8ff42cd54019f3ce6aa3

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/2996-305-0x0000000000000000-mapping.dmp

memory/2284-306-0x0000000002F09000-0x0000000002F19000-memory.dmp

memory/2284-307-0x0000000002CE0000-0x0000000002CE9000-memory.dmp

memory/2284-308-0x0000000000400000-0x0000000002B9D000-memory.dmp

memory/988-311-0x0000000006810000-0x000000000736A000-memory.dmp

memory/988-312-0x00000000049D0000-0x0000000004B10000-memory.dmp

memory/988-313-0x00000000049D0000-0x0000000004B10000-memory.dmp

memory/988-315-0x00000000049D0000-0x0000000004B10000-memory.dmp

memory/988-316-0x00000000049D0000-0x0000000004B10000-memory.dmp

memory/988-318-0x00000000049D0000-0x0000000004B10000-memory.dmp

memory/2960-319-0x00007FF7F5016890-mapping.dmp

memory/988-317-0x00000000049D0000-0x0000000004B10000-memory.dmp

memory/2960-320-0x000001E3FCB70000-0x000001E3FCCB0000-memory.dmp

memory/2960-321-0x000001E3FCB70000-0x000001E3FCCB0000-memory.dmp

memory/4936-326-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8570.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

C:\Users\Admin\AppData\Local\Temp\8570.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

memory/3188-331-0x0000000000000000-mapping.dmp

memory/364-334-0x0000000000000000-mapping.dmp

memory/3848-337-0x0000000000000000-mapping.dmp

memory/3048-340-0x0000000000000000-mapping.dmp

memory/4420-343-0x0000000000000000-mapping.dmp

memory/1840-346-0x0000000000000000-mapping.dmp

memory/2176-349-0x0000000000000000-mapping.dmp

memory/4824-352-0x0000000000000000-mapping.dmp

memory/1596-355-0x0000000000000000-mapping.dmp