Malware Analysis Report

2025-01-18 08:08

Sample ID 230111-xx8gxshh71
Target file.exe
SHA256 fd8d1e70b3e9c7188a151be315a9daaf94af8d8da9950899a88af5cf9886e968
Tags
smokeloader backdoor trojan aurora dcrat djvu icedid redline vidar 19 743920601 3131022508 banker discovery infostealer loader persistence ransomware rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd8d1e70b3e9c7188a151be315a9daaf94af8d8da9950899a88af5cf9886e968

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan aurora dcrat djvu icedid redline vidar 19 743920601 3131022508 banker discovery infostealer loader persistence ransomware rat spyware stealer

RedLine

Djvu Ransomware

Vidar

Aurora

SmokeLoader

Detected Djvu ransomware

DcRat

Detects Smokeloader packer

Suspicious use of NtCreateUserProcessOtherParentProcess

IcedID, BokBot

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Checks computer location settings

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

GoLang User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Delays execution with timeout.exe

Checks processor information in registry

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Gathers network information

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-11 19:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-11 19:15

Reported

2023-01-11 19:17

Platform

win7-20221111-en

Max time kernel

150s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

N/A

Files

memory/1148-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

memory/1148-56-0x0000000000230000-0x0000000000239000-memory.dmp

memory/1148-55-0x000000000064D000-0x0000000000663000-memory.dmp

memory/1148-57-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1148-58-0x0000000000400000-0x0000000000456000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-11 19:15

Reported

2023-01-11 19:17

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Aurora

stealer aurora

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5c920b25-cdd4-42b5-977a-a69c14354eb4\\F514.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F514.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

IcedID, BokBot

trojan banker icedid

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1820 created 1120 N/A C:\Users\Admin\AppData\Local\Temp\E7E7.exe C:\Windows\System32\computerdefaults.exe

Vidar

stealer vidar

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F514.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F514.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D54.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5c920b25-cdd4-42b5-977a-a69c14354eb4\\F514.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F514.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\WindowsPrograms\\WindowsHost.exe\"" C:\Users\Admin\AppData\Local\Temp\D54.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FA07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FA07.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FA07.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002b5622a2100054656d7000003a0009000400efbe0c5519992b5622a22e00000000000000000000000000000000000000000000000000407cda00540065006d007000000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FA07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 2108 N/A N/A C:\Users\Admin\AppData\Local\Temp\F38C.exe
PID 744 wrote to memory of 2108 N/A N/A C:\Users\Admin\AppData\Local\Temp\F38C.exe
PID 744 wrote to memory of 732 N/A N/A C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 744 wrote to memory of 732 N/A N/A C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 744 wrote to memory of 732 N/A N/A C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 744 wrote to memory of 4396 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA07.exe
PID 744 wrote to memory of 4396 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA07.exe
PID 744 wrote to memory of 4396 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA07.exe
PID 744 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB9E.exe
PID 744 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB9E.exe
PID 744 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB9E.exe
PID 744 wrote to memory of 4232 N/A N/A C:\Users\Admin\AppData\Local\Temp\42.exe
PID 744 wrote to memory of 4232 N/A N/A C:\Users\Admin\AppData\Local\Temp\42.exe
PID 744 wrote to memory of 4232 N/A N/A C:\Users\Admin\AppData\Local\Temp\42.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 732 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 224 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Windows\SysWOW64\icacls.exe
PID 224 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Windows\SysWOW64\icacls.exe
PID 224 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Windows\SysWOW64\icacls.exe
PID 224 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 224 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 224 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3724 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\Temp\F514.exe
PID 3836 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
PID 3836 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
PID 3836 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
PID 4232 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\42.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4232 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\42.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4232 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\42.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4232 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\42.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4232 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\42.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3836 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe
PID 3836 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe
PID 3836 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\F514.exe C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe
PID 1836 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 5064 wrote to memory of 4452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 5064 wrote to memory of 4452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 5064 wrote to memory of 4452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 5064 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2736 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2736 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 5064 wrote to memory of 3524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\F38C.exe

C:\Users\Admin\AppData\Local\Temp\F38C.exe

C:\Users\Admin\AppData\Local\Temp\F514.exe

C:\Users\Admin\AppData\Local\Temp\F514.exe

C:\Users\Admin\AppData\Local\Temp\FA07.exe

C:\Users\Admin\AppData\Local\Temp\FA07.exe

C:\Users\Admin\AppData\Local\Temp\FB9E.exe

C:\Users\Admin\AppData\Local\Temp\FB9E.exe

C:\Users\Admin\AppData\Local\Temp\42.exe

C:\Users\Admin\AppData\Local\Temp\42.exe

C:\Users\Admin\AppData\Local\Temp\F514.exe

C:\Users\Admin\AppData\Local\Temp\F514.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2304 -ip 2304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 344

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\5c920b25-cdd4-42b5-977a-a69c14354eb4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\F514.exe

"C:\Users\Admin\AppData\Local\Temp\F514.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F514.exe

"C:\Users\Admin\AppData\Local\Temp\F514.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe

"C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 140

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe

"C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe

"C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe

"C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\95DC.exe

C:\Users\Admin\AppData\Local\Temp\95DC.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp",Edoqqdswdffqipe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 544

C:\Users\Admin\AppData\Local\Temp\C7DA.exe

C:\Users\Admin\AppData\Local\Temp\C7DA.exe

C:\Users\Admin\AppData\Local\Temp\D009.exe

C:\Users\Admin\AppData\Local\Temp\D009.exe

C:\Users\Admin\AppData\Local\Temp\E7E7.exe

C:\Users\Admin\AppData\Local\Temp\E7E7.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe

C:\Windows\System32\computerdefaults.exe

C:\Windows\System32\computerdefaults.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\ProgramData\intel.dll, Entry

C:\Users\Admin\AppData\Local\Temp\F9AB.exe

C:\Users\Admin\AppData\Local\Temp\F9AB.exe

C:\Users\Admin\AppData\Local\Temp\FE30.exe

C:\Users\Admin\AppData\Local\Temp\FE30.exe

C:\Users\Admin\AppData\Local\Temp\D54.exe

C:\Users\Admin\AppData\Local\Temp\D54.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig/release

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe

"C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig/renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23803

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 potunulit.org udp
N/A 188.114.96.0:80 potunulit.org tcp
N/A 8.8.8.8:53 wagringamuk.com udp
N/A 8.8.8.8:53 polyzi.com udp
N/A 95.217.49.230:443 polyzi.com tcp
N/A 8.8.8.8:53 api.2ip.ua udp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 104.46.162.224:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp
N/A 162.0.217.254:443 api.2ip.ua tcp
N/A 8.8.8.8:53 uaery.top udp
N/A 8.8.8.8:53 spaceris.com udp
N/A 187.212.192.17:80 uaery.top tcp
N/A 211.40.39.251:80 spaceris.com tcp
N/A 211.40.39.251:80 spaceris.com tcp
N/A 82.115.223.77:8081 tcp
N/A 185.106.94.35:80 185.106.94.35 tcp
N/A 8.8.8.8:53 t.me udp
N/A 149.154.167.99:443 t.me tcp
N/A 5.75.182.6:80 5.75.182.6 tcp
N/A 8.8.8.8:53 mightys.at udp
N/A 211.171.233.129:80 mightys.at tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 194.135.33.44:80 194.135.33.44 tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 149.248.63.92:80 149.248.63.92 tcp
N/A 8.8.8.8:53 c3g6gx853u6j.xyz udp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 8.8.8.8:53 transfer.sh udp
N/A 144.76.136.153:443 transfer.sh tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 8.8.8.8:53 github.com udp
N/A 140.82.114.4:443 github.com tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 217.12.206.197:80 217.12.206.197 tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 8.8.8.8:53 wagringamuk.com udp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 193.56.146.29:80 193.56.146.29 tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 193.56.146.29:80 193.56.146.29 tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 193.56.146.29:80 193.56.146.29 tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 211.171.233.129:80 mightys.at tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 109.206.243.143:80 c3g6gx853u6j.xyz tcp
N/A 8.8.8.8:53 tinyurl.com udp
N/A 172.67.1.225:443 tinyurl.com tcp
N/A 8.8.8.8:53 panel382523.site udp
N/A 31.31.198.106:80 panel382523.site tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:23803 tcp
N/A 65.21.237.20:43077 tcp
N/A 127.0.0.1:1312 tcp
N/A 65.21.237.20:43077 tcp
N/A 8.8.8.8:53 wagringamuk.com udp

Files

memory/4844-132-0x00000000005EE000-0x0000000000603000-memory.dmp

memory/4844-133-0x0000000002190000-0x0000000002199000-memory.dmp

memory/4844-134-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4844-135-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2108-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F38C.exe

MD5 02ff76dbe2bb9fc49ddea931896601d3
SHA1 037f7708d988957d49243b2e93df0878e22e0030
SHA256 30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0
SHA512 79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

C:\Users\Admin\AppData\Local\Temp\F38C.exe

MD5 02ff76dbe2bb9fc49ddea931896601d3
SHA1 037f7708d988957d49243b2e93df0878e22e0030
SHA256 30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0
SHA512 79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

memory/2108-139-0x0000000140000000-0x0000000140008000-memory.dmp

memory/732-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F514.exe

MD5 5d09682b08307cf7e7d4ee43b3b04791
SHA1 8668ef968def3d1e58bc5d3bb57088f0550a3b2d
SHA256 b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3
SHA512 a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

C:\Users\Admin\AppData\Local\Temp\F514.exe

MD5 5d09682b08307cf7e7d4ee43b3b04791
SHA1 8668ef968def3d1e58bc5d3bb57088f0550a3b2d
SHA256 b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3
SHA512 a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

memory/2108-148-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4396-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FA07.exe

MD5 b0ad477a4ca4a8a67f8ca0f8e43d8ef5
SHA1 b23b74f93f5c2eb4b0ba1b36ff7f27d1240ffbd0
SHA256 7b4477362fa5411d483f384852249d5638c0bf93a4e913a7868d37883686f725
SHA512 900da510c37c0d060d16b407995e26d8e79a69f13c62d91375c4d4946cd50a81648bdbe75f26d78625dc0abb1452b313de8ab8c58e1cbe4f4117b3e3cb766fad

C:\Users\Admin\AppData\Local\Temp\FA07.exe

MD5 b0ad477a4ca4a8a67f8ca0f8e43d8ef5
SHA1 b23b74f93f5c2eb4b0ba1b36ff7f27d1240ffbd0
SHA256 7b4477362fa5411d483f384852249d5638c0bf93a4e913a7868d37883686f725
SHA512 900da510c37c0d060d16b407995e26d8e79a69f13c62d91375c4d4946cd50a81648bdbe75f26d78625dc0abb1452b313de8ab8c58e1cbe4f4117b3e3cb766fad

memory/2304-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FB9E.exe

MD5 1d04438d49e15bad354bc606852e43dd
SHA1 febdfc26cf1a443bd22ab4b0745ce21fece43556
SHA256 1747f4f45223125c112798c43414259280c6d6ffc19ebb2bd29094a795603c77
SHA512 4655c62461be893a9982e8ee99a514394412af543a49204c3080f710ff0ab7dab0a21fc4660f76d295a731ea87947dea0fbd9194188b66838435e156cb434e24

C:\Users\Admin\AppData\Local\Temp\FB9E.exe

MD5 1d04438d49e15bad354bc606852e43dd
SHA1 febdfc26cf1a443bd22ab4b0745ce21fece43556
SHA256 1747f4f45223125c112798c43414259280c6d6ffc19ebb2bd29094a795603c77
SHA512 4655c62461be893a9982e8ee99a514394412af543a49204c3080f710ff0ab7dab0a21fc4660f76d295a731ea87947dea0fbd9194188b66838435e156cb434e24

memory/4232-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\42.exe

MD5 1a450a1a716cdb1bc3bd0b7467c2f157
SHA1 195d2f7052897360b07cf68a9f05794fcb41d88e
SHA256 88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b
SHA512 de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188

C:\Users\Admin\AppData\Local\Temp\42.exe

MD5 1a450a1a716cdb1bc3bd0b7467c2f157
SHA1 195d2f7052897360b07cf68a9f05794fcb41d88e
SHA256 88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b
SHA512 de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188

memory/732-159-0x0000000001FAF000-0x0000000002040000-memory.dmp

memory/732-160-0x0000000002290000-0x00000000023AB000-memory.dmp

memory/224-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/224-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F514.exe

MD5 5d09682b08307cf7e7d4ee43b3b04791
SHA1 8668ef968def3d1e58bc5d3bb57088f0550a3b2d
SHA256 b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3
SHA512 a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

memory/224-164-0x0000000000400000-0x0000000000537000-memory.dmp

memory/224-165-0x0000000000400000-0x0000000000537000-memory.dmp

memory/224-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4396-167-0x0000000000460000-0x0000000000560000-memory.dmp

memory/4396-168-0x0000000001F10000-0x0000000001F19000-memory.dmp

memory/4396-169-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2304-170-0x000000000056D000-0x0000000000583000-memory.dmp

memory/2304-171-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3672-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\5c920b25-cdd4-42b5-977a-a69c14354eb4\F514.exe

MD5 5d09682b08307cf7e7d4ee43b3b04791
SHA1 8668ef968def3d1e58bc5d3bb57088f0550a3b2d
SHA256 b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3
SHA512 a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

memory/3724-174-0x0000000000000000-mapping.dmp

memory/224-176-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F514.exe

MD5 5d09682b08307cf7e7d4ee43b3b04791
SHA1 8668ef968def3d1e58bc5d3bb57088f0550a3b2d
SHA256 b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3
SHA512 a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

memory/3836-177-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F514.exe

MD5 5d09682b08307cf7e7d4ee43b3b04791
SHA1 8668ef968def3d1e58bc5d3bb57088f0550a3b2d
SHA256 b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3
SHA512 a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

memory/3724-181-0x0000000002053000-0x00000000020E4000-memory.dmp

memory/3836-180-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3836-182-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4396-183-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 61a9f01083346a0ee40dc68983932b14
SHA1 85737a00e510acc709a5ea03d04a666bf41eb912
SHA256 db745e7939f305e69baa8e6fda50687f545b5b9af3cffbd290f1223d7956c1e7
SHA512 80edf82ede77a5657e92ca9c6ec45fe28118f1f0372d33e377185f7043580ee136927922556795552b41b9bd03aaef9a0273758af375b56ad4470aa23ac88349

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 64412091db0f45c3b3b874fca834e218
SHA1 4357fb4cd9ae84ec01c34f207ae762151a558f63
SHA256 94b12ac2a928111f086c26336e68027d5fd730c7d743dbad3d3290ddf2ca4fe6
SHA512 593ecf05377ef874e6f922f66a079f1a454cc1189a07507e79bdfff04390c41ffa30b22ba35fe789a7bf3526d297d52d9f46f11d846ce48d4694f6929a8f771d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 deb5907196e6e5e0e915c276f65a6924
SHA1 62802115ee04a17e66297fbfd5ab8d933040ffdb
SHA256 48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1
SHA512 4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 5d41cfd5676516ee25dc3b52690ecd74
SHA1 f4c825cc88aa0d48fbec9919d8b3df6f0ad7de4c
SHA256 042247a466bdb0a48fa2c287b37b9e54be19d6c26a55d9403a2e77c4ca60dd12
SHA512 2f8c9e7cb9ce40fde173ad17a2405fac09164dbda5c2f43fa65558c969dc7b6bb0a690b32725423e8eaa94b7cc27d938909238000920c22a2fb03889e918ed26

memory/3836-188-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1640-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe

MD5 866933fee5234be619d89a6d6a60bd88
SHA1 fd279d026264dbb75ea46be965ea163d94d67f0c
SHA256 ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185
SHA512 fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe

MD5 866933fee5234be619d89a6d6a60bd88
SHA1 fd279d026264dbb75ea46be965ea163d94d67f0c
SHA256 ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185
SHA512 fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d

memory/5064-192-0x0000000000000000-mapping.dmp

memory/5064-193-0x0000000000400000-0x0000000000876000-memory.dmp

memory/5064-202-0x0000000000400000-0x0000000000876000-memory.dmp

memory/4232-203-0x0000000000F20000-0x000000000139E000-memory.dmp

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1428-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1836-204-0x0000000000000000-mapping.dmp

memory/4452-208-0x0000000000000000-mapping.dmp

memory/2736-209-0x0000000000000000-mapping.dmp

memory/2948-210-0x0000000000000000-mapping.dmp

memory/3524-211-0x0000000000000000-mapping.dmp

memory/1420-212-0x0000000000000000-mapping.dmp

memory/4048-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe

MD5 866933fee5234be619d89a6d6a60bd88
SHA1 fd279d026264dbb75ea46be965ea163d94d67f0c
SHA256 ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185
SHA512 fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d

memory/4048-214-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1640-217-0x000000000055D000-0x000000000058A000-memory.dmp

memory/4048-216-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4048-219-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1640-218-0x0000000001FB0000-0x0000000001FFC000-memory.dmp

memory/4048-220-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4888-221-0x0000000000000000-mapping.dmp

memory/4888-222-0x0000000002BD0000-0x0000000002C06000-memory.dmp

memory/4888-223-0x0000000005820000-0x0000000005E48000-memory.dmp

memory/4888-224-0x0000000005560000-0x0000000005582000-memory.dmp

memory/4888-225-0x0000000005E50000-0x0000000005EB6000-memory.dmp

memory/4888-226-0x0000000005EC0000-0x0000000005F26000-memory.dmp

memory/3836-227-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4888-228-0x00000000064F0000-0x000000000650E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4888-231-0x0000000006A80000-0x0000000006B16000-memory.dmp

memory/4888-232-0x0000000006A00000-0x0000000006A1A000-memory.dmp

memory/3152-233-0x0000000000000000-mapping.dmp

memory/4888-234-0x0000000006A50000-0x0000000006A72000-memory.dmp

memory/4888-235-0x0000000007A80000-0x0000000008024000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe

MD5 c6917bc242058814f64360de5b4320be
SHA1 4c1959cc707acb43a1466d166e151c517164edc2
SHA256 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516
SHA512 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

memory/3912-237-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe

MD5 c6917bc242058814f64360de5b4320be
SHA1 4c1959cc707acb43a1466d166e151c517164edc2
SHA256 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516
SHA512 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

memory/3912-239-0x0000000002E49000-0x0000000002E59000-memory.dmp

memory/3912-240-0x0000000002CE0000-0x0000000002CE9000-memory.dmp

memory/3912-241-0x0000000000400000-0x0000000002B9D000-memory.dmp

memory/4048-242-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3912-243-0x0000000000400000-0x0000000002B9D000-memory.dmp

memory/4048-244-0x00000000509A0000-0x0000000050A32000-memory.dmp

C:\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

C:\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

memory/4344-265-0x0000000000000000-mapping.dmp

memory/4048-266-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4576-267-0x0000000000000000-mapping.dmp

memory/4352-268-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\95DC.exe

MD5 7a66992f14ec9015181ed2d580c190ff
SHA1 9674bf45d8017f7753ddd6e106a8974bb87860c0
SHA256 34d3c6e0521570cf69ae828b240b19b3314e9b63d534d9a62ce81f6ac5eee8f7
SHA512 e499c16f7cd9516e72745618443630bc9ca0218bc31118c49dde9ca63ffb067e65fd8b62c0326c80204156ffc030d1163910440197905be7333f64f056776dc7

C:\Users\Admin\AppData\Local\Temp\95DC.exe

MD5 7a66992f14ec9015181ed2d580c190ff
SHA1 9674bf45d8017f7753ddd6e106a8974bb87860c0
SHA256 34d3c6e0521570cf69ae828b240b19b3314e9b63d534d9a62ce81f6ac5eee8f7
SHA512 e499c16f7cd9516e72745618443630bc9ca0218bc31118c49dde9ca63ffb067e65fd8b62c0326c80204156ffc030d1163910440197905be7333f64f056776dc7

memory/4004-271-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp

MD5 710af73b2d7e92d33fac751318c08101
SHA1 2208c96a528b1d96e18ae47ab274f303e4099fff
SHA256 72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3
SHA512 1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a

C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp

MD5 710af73b2d7e92d33fac751318c08101
SHA1 2208c96a528b1d96e18ae47ab274f303e4099fff
SHA256 72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3
SHA512 1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a

memory/4352-274-0x000000000216A000-0x000000000224B000-memory.dmp

memory/4352-275-0x0000000002350000-0x0000000002470000-memory.dmp

memory/4352-276-0x0000000000400000-0x0000000000523000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7DA.exe

MD5 322740661a3e59ff7e4fc4482c17b6cd
SHA1 107b0dad706cd1acaf76cd31caea9fff87a0cd0b
SHA256 b9cbe1bc0246eb38236e67fb2039168c2998a205809843f16f771722d1d67d0f
SHA512 a46b00879932f217b8ff5d4d88fe61a4ed747e2ffa66b8bcb1f08286f336fe2d56714b23bace9dc3219668632d3028d4f0bf337b83ddf7a2c6f8815743c0de86

memory/420-277-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C7DA.exe

MD5 322740661a3e59ff7e4fc4482c17b6cd
SHA1 107b0dad706cd1acaf76cd31caea9fff87a0cd0b
SHA256 b9cbe1bc0246eb38236e67fb2039168c2998a205809843f16f771722d1d67d0f
SHA512 a46b00879932f217b8ff5d4d88fe61a4ed747e2ffa66b8bcb1f08286f336fe2d56714b23bace9dc3219668632d3028d4f0bf337b83ddf7a2c6f8815743c0de86

C:\Users\Admin\AppData\Local\Temp\D009.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

C:\Users\Admin\AppData\Local\Temp\D009.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

memory/2448-280-0x0000000000000000-mapping.dmp

memory/2448-283-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

memory/2448-284-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp

memory/420-285-0x000000000050D000-0x0000000000527000-memory.dmp

memory/420-286-0x0000000001F80000-0x0000000001FAA000-memory.dmp

memory/420-287-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 3c66ee468dfa0688e6d22ca20d761140
SHA1 965c713cd69439ee5662125f0390a2324a7859bf
SHA256 4b230d2eaf9e5441f56db135faca2c761001787249d2358133e4f368061a1ea3
SHA512 4b29902d881bf20305322cc6a7bffb312187be86f4efa658a9d3c455e84f9f8b0d07f6f2bb6dac42ac050dc6f8d876e2b9df0ef4d5d1bb7e9be1223d652e04c6

memory/1820-289-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E7E7.exe

MD5 a05183b5af3370cc1bcc933c061d8596
SHA1 d8e5157a786191e35847c3fa25a07d6fc4462ac3
SHA256 a22e9b633917deb3d58c264577786289e3e0fbf5cd76a93debf52c5f630ba58e
SHA512 9fb93e8b34aec3917f06a18a042cdcc7d27fc76c155b9ee63d387c8d5ebe70c04c9dec4b86088f14bb16053f6fdb959013e592c16fa74267cc3fade7dda0f42e

C:\Users\Admin\AppData\Local\Temp\E7E7.exe

MD5 a05183b5af3370cc1bcc933c061d8596
SHA1 d8e5157a786191e35847c3fa25a07d6fc4462ac3
SHA256 a22e9b633917deb3d58c264577786289e3e0fbf5cd76a93debf52c5f630ba58e
SHA512 9fb93e8b34aec3917f06a18a042cdcc7d27fc76c155b9ee63d387c8d5ebe70c04c9dec4b86088f14bb16053f6fdb959013e592c16fa74267cc3fade7dda0f42e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 423dbe8bdc384a0c17da1b937a22a084
SHA1 1f98a54997dc09e70b93aa85cc533ad1d97e22cb
SHA256 ea72a9be0c8e86059b34268fd9fef271acf177c96d4b77c08484f6b9db36487d
SHA512 e81e407f135235d9ba6005da3680e50bfadc64a85339855ce100964fcd9024b2c14b3817490606f94c09a27ec53d29ab3560e07c828dfa3f8b048f4ab1c3e043

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 674500a7bab0b260aa09403d126204eb
SHA1 63f0a5474fb2c30ac23a224ff9cfcda7009abb72
SHA256 298fa716d7ed652783ad89d0ddf50435caef4f35c422afc689ea21f3f5f0d107
SHA512 37233a4f52a54ae43a03c3ccee875410385b4e520a0307093e332787bb86c3677d05ffdfb82d18bbb36ac43a6ddd12011591f7217230970b5ce7677a1ca7979c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 cfd5200468ca20b4561e49d536b74f1b
SHA1 8abac3f0e8e0384ef3d3eb27c2b1876a43061bfd
SHA256 c0c39dcc1a459a7ab51209e52342480d91076253dbb53303ce5c01465d271ac0
SHA512 cb84e19fe1e2f08367874a78fe325cfca5f08a7408adf39c2fbff1da7abdb304e392a7260c5bd683e622bf498f88315f7383854430e8755bb6fa8e217023503f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 cb25b902cb00a5f817ff4e2d3c2ff512
SHA1 eb18d25b536b58ac2b70b7444bb95616915c798a
SHA256 8eb0284f8a54400a3e31f969fae9e81defe1fa3f9aefdda4f6a3f35227a5e587
SHA512 d02bf534f92cb0aca4176ce6674f40d1533fd7d73e5f176c2145a34a251f2434189d9c490e2e39e682c5d6c9c6067d78bd91f5c3173090a1f0e3c3364d584f45

memory/3404-296-0x0000000000000000-mapping.dmp

C:\ProgramData\intel.dll

MD5 a8375653ea2b8b06eb7e6f3760d11d7e
SHA1 f6b84d7179d8a3fd6e911d94e7cef4db71457df1
SHA256 1e88c720fba0938e82bd81bb75fea4e4edd2a612d0ad4913de334cd16bc972f2
SHA512 82182199246d9cfd8eb0682cdd11484fcda785390b98f0fa19fc7d0a34eea1ba56de5a6026a2228a1fe6cf582deda7c20de89adf5cb188786d9b7dfb0d0ff6f9

C:\ProgramData\intel.dll

MD5 a8375653ea2b8b06eb7e6f3760d11d7e
SHA1 f6b84d7179d8a3fd6e911d94e7cef4db71457df1
SHA256 1e88c720fba0938e82bd81bb75fea4e4edd2a612d0ad4913de334cd16bc972f2
SHA512 82182199246d9cfd8eb0682cdd11484fcda785390b98f0fa19fc7d0a34eea1ba56de5a6026a2228a1fe6cf582deda7c20de89adf5cb188786d9b7dfb0d0ff6f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86

MD5 27ceb86384eae5123785ec9a99d7a82a
SHA1 a26a9db3d8749f700c8bdb555810a9d229728684
SHA256 97ab1083a8b2fb0a5b5a009088374deeef3877f7e9bff27b281f910eef43d797
SHA512 b05bc4184537369923b73c062842a7640734f4156f833459fd03a214b65e5c188d1a0d5de7cd9221e6bb071015b9fc5fa3a768ffcaab1150a0ac702c1f59cbbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86

MD5 9f6f2feb04b8662fc9907be249c72b0f
SHA1 7f34ef3307815bbc4b4ca446b7306d4a0965856e
SHA256 763c83abd46fbc55573e597449323045e7df169dd4fd1e8cbe3b6a70db2f8811
SHA512 1f0e6daca94d786fa2bb9db9fe985fc3f2bc12868a35067dd9639728acdfc8aeec23ddcc6b2fff8bec6a0c81e7250546e9ff4d305524b18ff8b64e7c322cedb5

memory/3404-301-0x00000000055F0000-0x00000000057B2000-memory.dmp

memory/420-302-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3404-303-0x0000000005E30000-0x000000000635C000-memory.dmp

memory/4488-304-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F9AB.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

C:\Users\Admin\AppData\Local\Temp\F9AB.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

memory/4488-307-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp

memory/2288-308-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FE30.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

C:\Users\Admin\AppData\Local\Temp\FE30.exe

MD5 9748489855d9dd82ab09da5e3e55b19e
SHA1 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA256 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA512 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

memory/2288-311-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp

memory/1260-312-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D54.exe

MD5 65abb47a2e20764cc72afb0ffb5db36e
SHA1 b734b77de71565b307272e9b76519d7ee1fbd468
SHA256 0c9720d53f929fa105c068e3383bf62bc5bb6f964796de182d21306270b2a496
SHA512 8d385b4581145fa5ea2cc4185f27c9f71b29e1f73b917710270e96d5d1c1a7530db6ebd1c1185ebb9fb8742628b7b8a74641dcdcac62407a7dcf64169e6f4658

C:\Users\Admin\AppData\Local\Temp\D54.exe

MD5 65abb47a2e20764cc72afb0ffb5db36e
SHA1 b734b77de71565b307272e9b76519d7ee1fbd468
SHA256 0c9720d53f929fa105c068e3383bf62bc5bb6f964796de182d21306270b2a496
SHA512 8d385b4581145fa5ea2cc4185f27c9f71b29e1f73b917710270e96d5d1c1a7530db6ebd1c1185ebb9fb8742628b7b8a74641dcdcac62407a7dcf64169e6f4658

memory/1260-315-0x00000000009B0000-0x00000000009B8000-memory.dmp

memory/1260-316-0x0000000005250000-0x00000000052E2000-memory.dmp

memory/1260-317-0x0000000002DE0000-0x0000000002DEA000-memory.dmp

memory/3564-318-0x0000000000000000-mapping.dmp

memory/3564-319-0x00000000004F0000-0x00000000004F7000-memory.dmp

memory/3564-320-0x00000000004E0000-0x00000000004EB000-memory.dmp

memory/3912-321-0x0000000000000000-mapping.dmp

memory/3912-322-0x0000000001080000-0x0000000001089000-memory.dmp

memory/3912-323-0x0000000000DF0000-0x0000000000DFF000-memory.dmp

memory/3656-324-0x0000000000000000-mapping.dmp

memory/3656-325-0x0000000000BE0000-0x0000000000BE5000-memory.dmp

memory/3656-326-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

memory/1748-327-0x0000000000000000-mapping.dmp

memory/1748-328-0x0000000000720000-0x0000000000726000-memory.dmp

memory/1748-329-0x0000000000710000-0x000000000071C000-memory.dmp

memory/1812-330-0x0000000000000000-mapping.dmp

memory/4408-331-0x0000000000000000-mapping.dmp

memory/532-332-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/1768-334-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 07fd8db6ff76a0b7e1fb2a919d1af689
SHA1 1a6355cd500d1ae67e72d6b94946c07783966d6a
SHA256 46a4dc2397d79efe89dcd65f373555abbd7947f3d24b0eb3f1e33cd9a29d7cf4
SHA512 4013b56b4ea238b5bd0979988b77e2b0aa1647e73b4c2632004607752cd7d67b4bd73e89fa7216b6f8d0cf45fb725b81cca4be71aee1d8f0337bfce7fe21d2c6

memory/1768-336-0x0000000001430000-0x0000000001452000-memory.dmp

memory/1768-337-0x0000000001400000-0x0000000001427000-memory.dmp

memory/1208-339-0x0000000000000000-mapping.dmp

memory/752-342-0x0000000000000000-mapping.dmp

memory/2736-345-0x0000000000000000-mapping.dmp

memory/2604-348-0x0000000000000000-mapping.dmp

memory/4004-352-0x00000000061C0000-0x0000000006D1B000-memory.dmp

memory/4004-356-0x00000000046F0000-0x0000000004830000-memory.dmp

memory/4004-357-0x00000000046F0000-0x0000000004830000-memory.dmp

memory/1840-360-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe

MD5 ee2e25daf0fe98f9e5d3bd1898f9913a
SHA1 e98706c52a37848beaa3623592c6ff6a8b2faf5b
SHA256 6255901c51fb16a8638004f7f953903391eb40fb96d49f27616a8ca537334983
SHA512 dc03a6c07f6fa778915f586b05aa0c8c2b3cd2f4c3672cedd2ec7fb47857dffba05b50d843490cd00d8f9913fde74d0617e27c1410618a1ead826537fbea8c38

C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe

MD5 ee2e25daf0fe98f9e5d3bd1898f9913a
SHA1 e98706c52a37848beaa3623592c6ff6a8b2faf5b
SHA256 6255901c51fb16a8638004f7f953903391eb40fb96d49f27616a8ca537334983
SHA512 dc03a6c07f6fa778915f586b05aa0c8c2b3cd2f4c3672cedd2ec7fb47857dffba05b50d843490cd00d8f9913fde74d0617e27c1410618a1ead826537fbea8c38

memory/1480-368-0x0000000000000000-mapping.dmp

memory/3876-369-0x0000000000000000-mapping.dmp

memory/448-370-0x0000000000000000-mapping.dmp

memory/4068-371-0x0000000000000000-mapping.dmp

memory/4004-377-0x00000000046F0000-0x0000000004830000-memory.dmp

memory/4004-378-0x00000000046F0000-0x0000000004830000-memory.dmp

memory/4004-379-0x00000000046F0000-0x0000000004830000-memory.dmp

memory/4004-380-0x00000000046F0000-0x0000000004830000-memory.dmp

memory/388-381-0x00007FF7167E6890-mapping.dmp

memory/388-382-0x000001AFA53F0000-0x000001AFA5530000-memory.dmp

memory/388-383-0x000001AFA53F0000-0x000001AFA5530000-memory.dmp