Malware Analysis Report

2025-05-05 23:53

Sample ID 230110-sglwrsgd89
Target b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895
SHA256 b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895
Tags
aurora dcrat djvu icedid smokeloader vidar 19 3131022508 backdoor banker discovery infostealer loader persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895

Threat Level: Known bad

The file b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895 was found to be: Known bad.

Malicious Activity Summary

aurora dcrat djvu icedid smokeloader vidar 19 3131022508 backdoor banker discovery infostealer loader persistence ransomware rat spyware stealer trojan

Detected Djvu ransomware

Djvu Ransomware

Vidar

Aurora

SmokeLoader

Detects Smokeloader packer

IcedID, BokBot

DcRat

Executes dropped EXE

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Uses the VBS compiler for execution

Modifies file permissions

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

GoLang User-Agent

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

Modifies registry class

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-10 15:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-10 15:05

Reported

2023-01-10 15:08

Platform

win10v2004-20221111-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe"

Signatures

Aurora

stealer aurora

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ab53833b-2a86-4152-9945-8ad295ca0991\\F2D5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F2D5.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

IcedID, BokBot

trojan banker icedid

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F2D5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F2D5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ab53833b-2a86-4152-9945-8ad295ca0991\\F2D5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F2D5.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ED83.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CQfB1OXqBf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ED83.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ED83.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CQfB1OXqBf.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CQfB1OXqBf.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002a56f380100054656d7000003a0009000400efbe6b55586c2a56f3802e0000000000000000000000000000000000000000000000000030572d01540065006d007000000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQfB1OXqBf.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E796.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E90E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\E796.exe
PID 2032 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\E796.exe
PID 2032 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\E796.exe
PID 2032 wrote to memory of 4800 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90E.exe
PID 2032 wrote to memory of 4800 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90E.exe
PID 2032 wrote to memory of 4800 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90E.exe
PID 2032 wrote to memory of 4208 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED83.exe
PID 2032 wrote to memory of 4208 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED83.exe
PID 2032 wrote to memory of 4208 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED83.exe
PID 2032 wrote to memory of 3952 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B1.exe
PID 2032 wrote to memory of 3952 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B1.exe
PID 2032 wrote to memory of 3952 N/A N/A C:\Users\Admin\AppData\Local\Temp\F0B1.exe
PID 2032 wrote to memory of 5008 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2032 wrote to memory of 5008 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2032 wrote to memory of 5008 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2032 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7B8.exe
PID 2032 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7B8.exe
PID 2032 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7B8.exe
PID 2032 wrote to memory of 4532 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA1A.exe
PID 2032 wrote to memory of 4532 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA1A.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 5008 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 3008 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Windows\SysWOW64\icacls.exe
PID 3008 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Windows\SysWOW64\icacls.exe
PID 3008 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Windows\SysWOW64\icacls.exe
PID 3008 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 3008 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 3008 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2644 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\Temp\F2D5.exe
PID 2272 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe
PID 2272 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe
PID 2272 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe
PID 2272 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe
PID 2272 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe
PID 2272 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\F2D5.exe C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe
PID 3616 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3616 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3616 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1624 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F7B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1624 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F7B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1624 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F7B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1624 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F7B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1624 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F7B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2416 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2416 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2416 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2416 wrote to memory of 748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe

"C:\Users\Admin\AppData\Local\Temp\b541a941a0036641549ca38b4f32002b32f3d88009f01657edda4c77b872a895.exe"

C:\Users\Admin\AppData\Local\Temp\E796.exe

C:\Users\Admin\AppData\Local\Temp\E796.exe

C:\Users\Admin\AppData\Local\Temp\E90E.exe

C:\Users\Admin\AppData\Local\Temp\E90E.exe

C:\Users\Admin\AppData\Local\Temp\ED83.exe

C:\Users\Admin\AppData\Local\Temp\ED83.exe

C:\Users\Admin\AppData\Local\Temp\F0B1.exe

C:\Users\Admin\AppData\Local\Temp\F0B1.exe

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

C:\Users\Admin\AppData\Local\Temp\F7B8.exe

C:\Users\Admin\AppData\Local\Temp\F7B8.exe

C:\Users\Admin\AppData\Local\Temp\FA1A.exe

C:\Users\Admin\AppData\Local\Temp\FA1A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 344

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ab53833b-2a86-4152-9945-8ad295ca0991" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

"C:\Users\Admin\AppData\Local\Temp\F2D5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

"C:\Users\Admin\AppData\Local\Temp\F2D5.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2832 -ip 2832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1224

C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe

"C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe"

C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe

"C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1624 -ip 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 152

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe

"C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\CQfB1OXqBf.exe"

C:\Users\Admin\AppData\Local\Temp\CQfB1OXqBf.exe

"C:\Users\Admin\AppData\Local\Temp\CQfB1OXqBf.exe"

C:\Users\Admin\AppData\Local\Temp\A4F2.exe

C:\Users\Admin\AppData\Local\Temp\A4F2.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4600 -ip 4600

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp",Fwpthq

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 564

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\C9A1.exe

C:\Users\Admin\AppData\Local\Temp\C9A1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3992 -ip 3992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1248

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 22795

C:\Users\Admin\AppData\Local\Temp\1561.exe

C:\Users\Admin\AppData\Local\Temp\1561.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 potunulit.org udp
N/A 188.114.97.0:80 potunulit.org tcp
N/A 194.110.203.101:80 194.110.203.101 tcp
N/A 8.8.8.8:53 polyzi.com udp
N/A 95.217.49.230:443 polyzi.com tcp
N/A 91.215.85.155:32796 tcp
N/A 91.215.85.155:32796 tcp
N/A 8.8.8.8:53 wagringamuk.com udp
N/A 162.33.179.231:80 wagringamuk.com tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 87.248.202.1:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 8.8.8.8:53 uaery.top udp
N/A 8.8.8.8:53 spaceris.com udp
N/A 190.140.74.43:80 spaceris.com tcp
N/A 190.140.74.43:80 spaceris.com tcp
N/A 190.140.74.43:80 spaceris.com tcp
N/A 104.80.225.205:443 tcp
N/A 82.115.223.77:8081 tcp
N/A 185.106.94.35:80 185.106.94.35 tcp
N/A 8.8.8.8:53 mightys.at udp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 8.8.8.8:53 t.me udp
N/A 149.154.167.99:443 t.me tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 142.132.168.13:80 142.132.168.13 tcp
N/A 213.227.155.191:80 213.227.155.191 tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 167.179.109.242:80 167.179.109.242 tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 217.12.206.197:80 217.12.206.197 tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 187.232.195.98:80 mightys.at tcp
N/A 162.33.179.231:80 wagringamuk.com tcp
N/A 127.0.0.1:22795 tcp
N/A 127.0.0.1:1312 tcp
N/A 8.8.8.8:53 c3g6gx853u6j.xyz udp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 8.8.8.8:53 transfer.sh udp
N/A 144.76.136.153:443 transfer.sh tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 8.8.8.8:53 github.com udp
N/A 140.82.112.4:443 github.com tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp

Files

memory/4900-132-0x0000000002DFD000-0x0000000002E0D000-memory.dmp

memory/4900-133-0x00000000048E0000-0x00000000048E9000-memory.dmp

memory/4900-134-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/4900-135-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/2832-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E796.exe

MD5 c107ab5dda2d65808a01fe93cf3b22f6
SHA1 0ad1fa3bf258c92603c6cd9623eb8ee20a3c5af9
SHA256 2d67483db79391c989d59b84f7bbe885342ae4ada7edf82158bd8c474275ba4c
SHA512 89be69ef03ed6f3e242f651d4715c0a423453ee8a6cbd52a15afaba2c91e48e13679a803ff5ad1fac27d1aad25aab2628711ef037329132593fda315db2e7bc2

C:\Users\Admin\AppData\Local\Temp\E796.exe

MD5 c107ab5dda2d65808a01fe93cf3b22f6
SHA1 0ad1fa3bf258c92603c6cd9623eb8ee20a3c5af9
SHA256 2d67483db79391c989d59b84f7bbe885342ae4ada7edf82158bd8c474275ba4c
SHA512 89be69ef03ed6f3e242f651d4715c0a423453ee8a6cbd52a15afaba2c91e48e13679a803ff5ad1fac27d1aad25aab2628711ef037329132593fda315db2e7bc2

memory/2032-139-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-140-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-141-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-142-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-144-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-143-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/4800-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E90E.exe

MD5 43b7d66a464999baa79dcad6c123ec0a
SHA1 50b52e3fad9e810d0d200bd1552399d3aeb10830
SHA256 d54f08081e60420e5aec8984e58a0d37b86ac740b7c41a039e73af00cb420def
SHA512 c8b9e8731b5b3901b2226462035d5f94fd648f831c7bf446bf6ed13a9228b0cb0ce0ba4080f0ff961c1e401456acbea77fefb0f323352f1bb087d77d4c06bb0d

C:\Users\Admin\AppData\Local\Temp\E90E.exe

MD5 43b7d66a464999baa79dcad6c123ec0a
SHA1 50b52e3fad9e810d0d200bd1552399d3aeb10830
SHA256 d54f08081e60420e5aec8984e58a0d37b86ac740b7c41a039e73af00cb420def
SHA512 c8b9e8731b5b3901b2226462035d5f94fd648f831c7bf446bf6ed13a9228b0cb0ce0ba4080f0ff961c1e401456acbea77fefb0f323352f1bb087d77d4c06bb0d

memory/2032-149-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-148-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-150-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-152-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-153-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-151-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-154-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/4208-158-0x0000000000000000-mapping.dmp

memory/2032-157-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

memory/2032-156-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-155-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED83.exe

MD5 2f92f1a7962bc4884ae500edae3340c8
SHA1 d039e0717a34ef062d70b6b71f8c80b3d12a69f4
SHA256 3990bdd8f58923eb4c961071b06c208439e241ce1c31a457d0e9e619f9cbec6d
SHA512 d113d2a22e6befbaf68ef9b9081e60f887202c07bc997bccdb0e573f43981087ffcc0f77b4aa7417e69c9c09c0693aa27d56de7a375aadad797295aedbc7bbee

C:\Users\Admin\AppData\Local\Temp\ED83.exe

MD5 2f92f1a7962bc4884ae500edae3340c8
SHA1 d039e0717a34ef062d70b6b71f8c80b3d12a69f4
SHA256 3990bdd8f58923eb4c961071b06c208439e241ce1c31a457d0e9e619f9cbec6d
SHA512 d113d2a22e6befbaf68ef9b9081e60f887202c07bc997bccdb0e573f43981087ffcc0f77b4aa7417e69c9c09c0693aa27d56de7a375aadad797295aedbc7bbee

memory/2032-165-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-166-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-161-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-159-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2032-167-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2032-168-0x0000000001070000-0x0000000001080000-memory.dmp

memory/3952-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F0B1.exe

MD5 f97b489f2d483199efc2faa9b9429657
SHA1 af6e90eb87a7ee96295cf4c3f72c9805565ae6ac
SHA256 7698ac8df6e93f4b740c28481c8b420071491d4f8316260dbd803db5726f48cd
SHA512 cef85681dd0845e6743a38c212506a8311d1d3b6748eeb3cd0c8877b7817d3307d554b083b3fee765e0f24a58deded73ddcbc11ef4bf4c1688dfcbcf8a31001d

C:\Users\Admin\AppData\Local\Temp\F0B1.exe

MD5 f97b489f2d483199efc2faa9b9429657
SHA1 af6e90eb87a7ee96295cf4c3f72c9805565ae6ac
SHA256 7698ac8df6e93f4b740c28481c8b420071491d4f8316260dbd803db5726f48cd
SHA512 cef85681dd0845e6743a38c212506a8311d1d3b6748eeb3cd0c8877b7817d3307d554b083b3fee765e0f24a58deded73ddcbc11ef4bf4c1688dfcbcf8a31001d

memory/5008-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

memory/1624-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F7B8.exe

MD5 1a4261cbca6e08e1d1db27e28f24f79f
SHA1 6dcadc198a6ca77fcca32f5241f880e7ca583739
SHA256 00151824f029662701f6aa7b8e2f629193a5b186aff19b5abb9c68665bd456bc
SHA512 d8490b3d3174b7865a457f9b38153a1d55f3c61f973561d0a7ce23bc45f74259107ee26866c5c43bc2f2adccf2f6af9738031fc72e2c5a5e71eab8b229ea6531

memory/4532-177-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FA1A.exe

MD5 02ff76dbe2bb9fc49ddea931896601d3
SHA1 037f7708d988957d49243b2e93df0878e22e0030
SHA256 30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0
SHA512 79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

C:\Users\Admin\AppData\Local\Temp\FA1A.exe

MD5 02ff76dbe2bb9fc49ddea931896601d3
SHA1 037f7708d988957d49243b2e93df0878e22e0030
SHA256 30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0
SHA512 79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

C:\Users\Admin\AppData\Local\Temp\F7B8.exe

MD5 1a4261cbca6e08e1d1db27e28f24f79f
SHA1 6dcadc198a6ca77fcca32f5241f880e7ca583739
SHA256 00151824f029662701f6aa7b8e2f629193a5b186aff19b5abb9c68665bd456bc
SHA512 d8490b3d3174b7865a457f9b38153a1d55f3c61f973561d0a7ce23bc45f74259107ee26866c5c43bc2f2adccf2f6af9738031fc72e2c5a5e71eab8b229ea6531

memory/4532-180-0x0000000140000000-0x0000000140008000-memory.dmp

memory/4532-184-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2832-186-0x0000000002E0D000-0x0000000002E3B000-memory.dmp

memory/2832-188-0x0000000002D60000-0x0000000002DAB000-memory.dmp

memory/2832-190-0x0000000007250000-0x00000000077F4000-memory.dmp

memory/2832-191-0x0000000000400000-0x0000000002BCB000-memory.dmp

memory/4800-192-0x0000000002EFD000-0x0000000002F2B000-memory.dmp

memory/2832-193-0x0000000007800000-0x0000000007E18000-memory.dmp

memory/4800-194-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/2832-195-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/2832-196-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/4800-197-0x0000000000400000-0x0000000002BCC000-memory.dmp

memory/4208-198-0x0000000002BE0000-0x0000000002BE9000-memory.dmp

memory/4208-199-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/3952-200-0x0000000002D00000-0x0000000002D09000-memory.dmp

memory/3008-201-0x0000000000000000-mapping.dmp

memory/3008-204-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5008-205-0x00000000048C1000-0x0000000004952000-memory.dmp

memory/3008-207-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5008-206-0x0000000004960000-0x0000000004A7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

memory/3008-202-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3952-208-0x0000000000400000-0x0000000002BAE000-memory.dmp

memory/3952-209-0x0000000002D6D000-0x0000000002D7D000-memory.dmp

memory/4208-210-0x0000000002D2D000-0x0000000002D3D000-memory.dmp

memory/3008-211-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4208-213-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/5060-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\ab53833b-2a86-4152-9945-8ad295ca0991\F2D5.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

memory/4800-215-0x00000000082B0000-0x0000000008316000-memory.dmp

memory/2644-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

memory/3008-217-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4800-219-0x0000000008970000-0x0000000008A02000-memory.dmp

memory/2832-220-0x0000000008BA0000-0x0000000008D62000-memory.dmp

memory/4800-221-0x0000000008C40000-0x000000000916C000-memory.dmp

memory/2032-222-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2032-223-0x0000000001070000-0x0000000001080000-memory.dmp

memory/2032-224-0x0000000008480000-0x0000000008490000-memory.dmp

memory/2272-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F2D5.exe

MD5 4bcbf6c16c4f695377ec0b465930c25a
SHA1 5afc4b3861311de82631782b8e2f728ba4f92be7
SHA256 2359f0fa6be4ec6e854d57730398f762dbde6b69e731cad94f425aa4d5f09733
SHA512 258fd8df12cc69ecd0e8d0a71483e01123e4d6b5a6d13c8be892162b087bda8edb53a53f1e033ba57297a4342d112d59a244ef26c426492c8b2ac85e087ba63c

memory/2272-228-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2272-230-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2644-229-0x00000000048AA000-0x000000000493B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 deb5907196e6e5e0e915c276f65a6924
SHA1 62802115ee04a17e66297fbfd5ab8d933040ffdb
SHA256 48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1
SHA512 4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 96ec756c5a5818fb9408177305a38a92
SHA1 69809030cdfaa438d72697507221289edd040db0
SHA256 ea8c9b94a81b297bdb1b20c4ca4ad8383acb323345cad078ced4b0986a51abcd
SHA512 dbecb46d8d27424777b7e1f0c3ff0cb9609728b74c873138d9456174b9b73134a0e3ae8c66c04a19ef4f39d47afb25870d3079621cc56df3589b314e3e5044bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 61a9f01083346a0ee40dc68983932b14
SHA1 85737a00e510acc709a5ea03d04a666bf41eb912
SHA256 db745e7939f305e69baa8e6fda50687f545b5b9af3cffbd290f1223d7956c1e7
SHA512 80edf82ede77a5657e92ca9c6ec45fe28118f1f0372d33e377185f7043580ee136927922556795552b41b9bd03aaef9a0273758af375b56ad4470aa23ac88349

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 f91017d6bdff2a99f9c7c46c971708f6
SHA1 bb74f9900f981b3d306ea83b0c9725d6b1246b22
SHA256 85974a092c80cd79eec44b0a6ec9ff1b77a2fadffaefb8767b94b1d746a65430
SHA512 29e69cab0b71afbbd5aeaa493e0989f7ebb6f7784859ac28c9abf40bebaecdf863d656b56afec3e0b4bc86e2d9b102bdaa0d4f968d4aa1a6d0c3b7d8c5a9ddd4

memory/2272-235-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2832-236-0x0000000002E0D000-0x0000000002E3B000-memory.dmp

memory/2832-237-0x0000000000400000-0x0000000002BCB000-memory.dmp

memory/4800-238-0x0000000002EFD000-0x0000000002F2B000-memory.dmp

memory/4800-239-0x0000000000400000-0x0000000002BCC000-memory.dmp

memory/1324-240-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe

MD5 19b18ab424c9bfe498094eab6e124eb8
SHA1 b78148d95360125fe8e778bbff8d41eb58c48ede
SHA256 f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956
SHA512 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b

C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe

MD5 19b18ab424c9bfe498094eab6e124eb8
SHA1 b78148d95360125fe8e778bbff8d41eb58c48ede
SHA256 f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956
SHA512 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b

memory/3616-243-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1040-246-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/2416-248-0x0000000001300000-0x0000000001776000-memory.dmp

memory/2416-247-0x0000000000000000-mapping.dmp

memory/1624-255-0x00000000003E0000-0x000000000085E000-memory.dmp

memory/2416-258-0x0000000001300000-0x0000000001776000-memory.dmp

memory/2572-259-0x0000000000000000-mapping.dmp

memory/748-260-0x0000000000000000-mapping.dmp

memory/312-261-0x0000000000000000-mapping.dmp

memory/1596-262-0x0000000000000000-mapping.dmp

memory/2876-263-0x0000000000000000-mapping.dmp

memory/2876-264-0x0000000000400000-0x0000000000461000-memory.dmp

memory/2876-266-0x0000000000400000-0x0000000000461000-memory.dmp

memory/2512-267-0x0000000000000000-mapping.dmp

memory/1324-269-0x00000000005CD000-0x00000000005FA000-memory.dmp

memory/2876-268-0x0000000000400000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Local\f6ae7850-78c4-437f-a14d-8441189266eb\build2.exe

MD5 19b18ab424c9bfe498094eab6e124eb8
SHA1 b78148d95360125fe8e778bbff8d41eb58c48ede
SHA256 f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956
SHA512 202f57aa334bed6c55731c79804a5d05e879b3b518483668d5d73848b5409882cc90f17a4735fbb6fddb0f0a3ce3bf36c9d022e59b850b77ba679201f9c40b0b

memory/1324-270-0x0000000000510000-0x000000000055C000-memory.dmp

memory/2876-271-0x0000000000400000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4616-274-0x0000000000000000-mapping.dmp

memory/2272-275-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4164-276-0x0000000000000000-mapping.dmp

memory/4164-277-0x00000000028F0000-0x0000000002926000-memory.dmp

memory/4164-278-0x0000000005360000-0x0000000005988000-memory.dmp

memory/4164-279-0x0000000005AC0000-0x0000000005AE2000-memory.dmp

memory/4164-280-0x0000000005B60000-0x0000000005BC6000-memory.dmp

memory/4164-281-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/4164-282-0x0000000006760000-0x00000000067F6000-memory.dmp

memory/4164-283-0x00000000066F0000-0x000000000670A000-memory.dmp

memory/4164-284-0x00000000073B0000-0x00000000073D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CQfB1OXqBf.exe

MD5 c6917bc242058814f64360de5b4320be
SHA1 4c1959cc707acb43a1466d166e151c517164edc2
SHA256 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516
SHA512 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

C:\Users\Admin\AppData\Local\Temp\CQfB1OXqBf.exe

MD5 c6917bc242058814f64360de5b4320be
SHA1 4c1959cc707acb43a1466d166e151c517164edc2
SHA256 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516
SHA512 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

memory/3784-286-0x0000000000000000-mapping.dmp

memory/2876-288-0x0000000060900000-0x0000000060992000-memory.dmp

memory/4600-293-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A4F2.exe

MD5 cf04ba4779867c0726c69e230e145fd8
SHA1 ce8a5522d32cee3d9da5584d432f61b1e122cbc8
SHA256 d3eef85b7fc5291b76a569864b5e35b471d838b897a9c4f73915698b1826d4bd
SHA512 7b800b136a4356bcfe51d6709b623c8467b16fc0d5b4df07eeac8e045cedf39b2df55318c08d25b2e276559e8abce293f97c1862e4505cc6b4c8e1d24713f877

C:\Users\Admin\AppData\Local\Temp\A4F2.exe

MD5 cf04ba4779867c0726c69e230e145fd8
SHA1 ce8a5522d32cee3d9da5584d432f61b1e122cbc8
SHA256 d3eef85b7fc5291b76a569864b5e35b471d838b897a9c4f73915698b1826d4bd
SHA512 7b800b136a4356bcfe51d6709b623c8467b16fc0d5b4df07eeac8e045cedf39b2df55318c08d25b2e276559e8abce293f97c1862e4505cc6b4c8e1d24713f877

C:\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

C:\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

memory/4600-312-0x00000000049D0000-0x0000000004AB9000-memory.dmp

memory/4600-313-0x0000000004AC0000-0x0000000004BEC000-memory.dmp

memory/1768-314-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp

MD5 0a6c58fc386c9a4d7d43b809447f3eac
SHA1 b07d0ae1180e21bf79b3b720d9e03e2b7982972d
SHA256 d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2
SHA512 e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp

MD5 0a6c58fc386c9a4d7d43b809447f3eac
SHA1 b07d0ae1180e21bf79b3b720d9e03e2b7982972d
SHA256 d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2
SHA512 e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

memory/4600-317-0x0000000000400000-0x0000000002C86000-memory.dmp

memory/3784-318-0x0000000002DF0000-0x0000000002DF9000-memory.dmp

memory/2764-320-0x0000000000000000-mapping.dmp

memory/3652-323-0x0000000000000000-mapping.dmp

memory/3992-325-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C9A1.exe

MD5 bd9c39e41636bf3963a157a76ac72994
SHA1 ae616d1ad63fa96706e3f62784c7ac785c5011a1
SHA256 8ce027a511fadcfaf4da6a5cbbecb238fcbfa4fd93a8135ae56289d612be54b5
SHA512 799df59517215ed7a649e290d36e478e068e4243db18918575cb755a43eb60f68c3ee96267b7f09db707fd611dbe1b69202e04c11196980ab2550444702cfd8c

C:\Users\Admin\AppData\Local\Temp\C9A1.exe

MD5 bd9c39e41636bf3963a157a76ac72994
SHA1 ae616d1ad63fa96706e3f62784c7ac785c5011a1
SHA256 8ce027a511fadcfaf4da6a5cbbecb238fcbfa4fd93a8135ae56289d612be54b5
SHA512 799df59517215ed7a649e290d36e478e068e4243db18918575cb755a43eb60f68c3ee96267b7f09db707fd611dbe1b69202e04c11196980ab2550444702cfd8c

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 3c66ee468dfa0688e6d22ca20d761140
SHA1 965c713cd69439ee5662125f0390a2324a7859bf
SHA256 4b230d2eaf9e5441f56db135faca2c761001787249d2358133e4f368061a1ea3
SHA512 4b29902d881bf20305322cc6a7bffb312187be86f4efa658a9d3c455e84f9f8b0d07f6f2bb6dac42ac050dc6f8d876e2b9df0ef4d5d1bb7e9be1223d652e04c6

memory/1768-333-0x00000000053D0000-0x0000000005F2A000-memory.dmp

memory/1768-335-0x0000000004E10000-0x0000000004F50000-memory.dmp

memory/1768-336-0x0000000004E10000-0x0000000004F50000-memory.dmp

memory/1768-337-0x0000000004E10000-0x0000000004F50000-memory.dmp

memory/4192-342-0x00007FF7F17E6890-mapping.dmp

memory/3096-371-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1561.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

C:\Users\Admin\AppData\Local\Temp\1561.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

memory/1188-377-0x0000000000000000-mapping.dmp

memory/1812-380-0x0000000000000000-mapping.dmp

memory/4884-383-0x0000000000000000-mapping.dmp

memory/1596-386-0x0000000000000000-mapping.dmp

memory/2060-391-0x0000000000000000-mapping.dmp

memory/4908-394-0x0000000000000000-mapping.dmp

memory/5048-398-0x0000000000000000-mapping.dmp

memory/3560-401-0x0000000000000000-mapping.dmp

memory/2204-404-0x0000000000000000-mapping.dmp